[Unit]
Description=Prometheus blackbox Exporter
After=network.target

[Service]
EnvironmentFile=-/etc/conf.d/prometheus-blackbox-exporter
ExecStart=/usr/bin/prometheus-blackbox-exporter $BLACKBOX_EXPORTER_ARGS
ExecReload=/bin/kill -HUP $MAINPID
DynamicUser=true

NoNewPrivileges=true
ProtectSystem=full
ProtectKernelModules=true
ProtectKernelTunables=true
PrivateTmp=true
LockPersonality=true
ProtectHostname=true
ProtectHome=true
ProtectControlGroups=true
ProtectKernelLogs=true
PrivateDevices=true
RestrictRealtime=true
CapabilityBoundingSet=
MemoryDenyWriteExecute=true
CapabilityBoundingSet=CAP_NET_RAW
AmbientCapabilities=CAP_NET_RAW

[Install]
WantedBy=multi-user.target