infrastructure/roles/prometheus_exporters/templates/gitlab-exporter.service.j2

[Unit]
Description=Gitlab Exporter
Wants=network-online.target
After=network-online.target

[Service]
Type=oneshot
StandardOutput=journal+console
EnvironmentFile=-/etc/conf.d/gitlab-exporter
User=node_exporter
ExecStart=/usr/bin/gitlab-exporter -o {{ prometheus_textfile_dir }}/gitlab-exporter.prom cli

NoNewPrivileges=true
LockPersonality=true
CapabilityBoundingSet=
UMask=077

PrivateDevices=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths={{ prometheus_textfile_dir }}

MemoryDenyWriteExecute=true
RemoveIPC=true
RestrictRealtime=true
RestrictNamespaces=true
RestrictSUIDSGID=true

RestrictAddressFamilies=~AF_NETLINK
RestrictAddressFamilies=~AF_PACKET

ProtectHostname=true
ProtectControlGroups=true
ProtectKernelLogs=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectClock=true

SystemCallArchitectures=native