[Unit]
Description=Prometheus exporter for IPMI metrics
Requires=network-online.target
After=network-online.target

[Service]
# If IPMI_EXPORTER_ARGS is required, it should be applied using a
# drop-in systemd file. See `man 5 systemd.unit` for details.
ExecStart=/usr/bin/ipmi_exporter $IPMI_EXPORTER_ARGS
ExecReload=/bin/kill -HUP $MAINPID
User=ipmi-exporter
Group=ipmi-exporter
Restart=on-failure
RestartSec=5s

NoNewPrivileges=true
LimitNOFILE=1048576
UMask=0077

ProtectSystem=strict
ProtectHome=true
PrivateUsers=yes
PrivateTmp=true
PrivateDevices=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=true
LockPersonality=true
MemoryDenyWriteExecute=true
RestrictRealtime=true
RestrictSUIDSGID=true
RemoveIPC=true
CapabilityBoundingSet=
AmbientCapabilities=

SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources
SystemCallArchitectures=native

[Install]
WantedBy=multi-user.target