infrastructure/roles/prometheus_exporters/templates/prometheus-arch-textcollector.service.j2

[Unit]
Description=Prometheus Arch Exporter
After=network.target

[Service]
Type=oneshot
User=node_exporter
ExecStart=/usr/local/bin/arch-textcollector.sh {{ prometheus_textfile_dir }}

NoNewPrivileges=true
LockPersonality=true
CapabilityBoundingSet=
UMask=077

PrivateDevices=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths={{ prometheus_textfile_dir }}

MemoryDenyWriteExecute=true
RemoveIPC=true
RestrictRealtime=true
RestrictNamespaces=true
RestrictSUIDSGID=true

RestrictAddressFamilies=~AF_NETLINK
RestrictAddressFamilies=~AF_PACKET

ProtectHostname=true
ProtectControlGroups=true
ProtectKernelLogs=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectClock=true

SystemCallArchitectures=native