[Unit]
Description=Prometheus {{ item.name|capitalize }} Exporter TextCollector
After=network.target
After={{ item.service }}.service

[Service]
Type=oneshot
ExecStart=/usr/local/bin/{{ item.name }}-textcollector.sh {{ prometheus_textfile_dir }}

NoNewPrivileges=true
LockPersonality=true

PrivateDevices=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=read-only
ReadWritePaths={{ prometheus_textfile_dir }} /root/.cache/borg

MemoryDenyWriteExecute=true
RemoveIPC=true
RestrictRealtime=true
RestrictNamespaces=true
RestrictSUIDSGID=true

RestrictAddressFamilies=~AF_PACKET
RestrictAddressFamilies=~AF_NETLINK

ProtectHostname=true
ProtectControlGroups=true
ProtectKernelLogs=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectClock=true

SystemCallArchitectures=native

[Install]
WantedBy={{ item.service }}.service