[Unit]
Description=Prometheus Hetzner Exporter TextCollector
After=network-online.target

[Service]
Type=oneshot
ExecStart=/usr/local/bin/hetzner-textcollector.sh {{ prometheus_textfile_dir }}

NoNewPrivileges=true
LockPersonality=true

PrivateDevices=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=read-only
ReadWritePaths={{ prometheus_textfile_dir }}

MemoryDenyWriteExecute=true
RemoveIPC=true
RestrictRealtime=true
RestrictNamespaces=true
RestrictSUIDSGID=true

RestrictAddressFamilies=~AF_PACKET
RestrictAddressFamilies=~AF_NETLINK

ProtectHostname=true
ProtectControlGroups=true
ProtectKernelLogs=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectClock=true

SystemCallArchitectures=native