{{ ansible_managed | comment }}

[Unit]
Description=Prometheus BIND Exporter
After=network-online.target

[Service]
Type=simple
User={{ bind_exporter_system_user }}
Group={{ bind_exporter_system_group }}
ExecStart={{ bind_exporter_binary_install_dir }}/bind_exporter \
{% if bind_exporter_stats_groups | length > 0 %}
    --bind.stats-groups="{{ bind_exporter_stats_groups | join(',') }}" \
{% endif %}
{% if bind_exporter_tls_server_config | length > 0 or bind_exporter_http_server_config | length > 0 or bind_exporter_basic_auth_users | length > 0 %}
    --web.config.file={{ bind_exporter_config_dir }}/web_config.yml \
{% endif %}
    --bind.stats-url="{{ bind_exporter_stats_url }}" \
    --bind.timeout="{{ bind_exporter_timeout }}" \
    --bind.pid-file="{{ bind_exporter_pid_file }}" \
    --bind.stats-version={{ bind_exporter_stats_version }} \
{% if bind_exporter_web_listen_address is iterable and
      bind_exporter_web_listen_address is not mapping and
      bind_exporter_web_listen_address is not string %}
{%   for address in bind_exporter_web_listen_address %}
    --web.listen-address={{ address }} \
{%   endfor %}
{% else %}
    --web.listen-address={{ bind_exporter_web_listen_address }} \
{% endif %}
    --web.telemetry-path={{ bind_exporter_web_telemetry_path }}


SyslogIdentifier=bind_exporter
Restart=always
RestartSec=1
StartLimitInterval=0

{% set protect_home = 'yes' %}
{% for m in ansible_facts['mounts'] if m.mount.startswith('/home') %}
{%   set protect_home = 'read-only' %}
{% endfor %}
ProtectHome={{ protect_home }}
NoNewPrivileges=yes

{% if (ansible_facts.packages.systemd | first).version is version('232', '>=') %}
ProtectSystem=strict
ProtectControlGroups=true
ProtectKernelModules=true
ProtectKernelTunables=yes
{% else %}
ProtectSystem=full
{% endif %}

[Install]
WantedBy=multi-user.target