[Unit]
Description=Prometheus snmp Exporter
After=network.target

[Service]
ExecStart=/usr/local/bin/prometheus-snmp-exporter --config.file="/etc/prometheus/snmp.yml"
ExecReload=/bin/kill -HUP $MAINPID
DynamicUser=true

NoNewPrivileges=true
# binary in /usr/local/bin - not /bin
#ProtectSystem=full
ProtectKernelModules=true
ProtectKernelTunables=true
PrivateTmp=true
LockPersonality=true
ProtectHostname=true
ProtectHome=true
ProtectControlGroups=true
ProtectKernelLogs=true
PrivateDevices=true
RestrictRealtime=true
CapabilityBoundingSet=
MemoryDenyWriteExecute=true
CapabilityBoundingSet=CAP_NET_RAW
AmbientCapabilities=CAP_NET_RAW
# extra: icmp fix
PrivateUsers=false

[Install]
WantedBy=multi-user.target