[Unit]
Description=Prometheus blackbox Exporter
After=network.target

[Service]
ExecStart=/usr/bin/prometheus-blackbox-exporter --config.file="/etc/prometheus/blackbox.yml"
ExecReload=/bin/kill -HUP $MAINPID
DynamicUser=true

NoNewPrivileges=true
ProtectSystem=full
ProtectKernelModules=true
ProtectKernelTunables=true
PrivateTmp=true
LockPersonality=true
ProtectHostname=true
ProtectHome=true
ProtectControlGroups=true
ProtectKernelLogs=true
PrivateDevices=true
RestrictRealtime=true
CapabilityBoundingSet=
MemoryDenyWriteExecute=true
CapabilityBoundingSet=CAP_NET_RAW
AmbientCapabilities=CAP_NET_RAW

[Install]
WantedBy=multi-user.target