[Unit]
Description=Prometheus exporter proxy

[Service]
Restart=always
User=prometheus-exporter
ExecStart=/usr/bin/prometheus-exporter-exporter --config.dirs=/etc/prometheus/exporter/enabled --config.file="" --web.listen-address="{{ prometheus_exporter_listen }}"
{# TODO: implement reloading once the exporter_exporter supports this #}

# systemd hardening-options
AmbientCapabilities=
CapabilityBoundingSet=
DeviceAllow=/dev/null rw
DevicePolicy=strict
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
PrivateUsers=true
ProtectControlGroups=true
ProtectHome=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=strict
RemoveIPC=true
RestrictNamespaces=true
RestrictRealtime=true
SystemCallArchitectures=native

[Install]
WantedBy=multi-user.target