{{ ansible_managed | comment }}
[Unit]
Description=Blackbox Exporter
After=network-online.target
StartLimitInterval=0
StartLimitIntervalSec=0

[Service]
Type=simple
User={{ blackbox_exporter_system_user }}
Group={{ blackbox_exporter_system_group }}
PermissionsStartOnly=true
ExecReload=/bin/kill -HUP $MAINPID
ExecStart={{ blackbox_exporter_binary_install_dir }}/blackbox_exporter \
  --config.file={{ blackbox_exporter_config_dir }}/blackbox_exporter.yml \
  {% for flag, flag_value in blackbox_exporter_cli_flags.items() -%}
  --{{ flag }}={{ flag_value }} \
  {% endfor -%}
{% if blackbox_exporter_version is version('0.23.0', '>=') and
      blackbox_exporter_web_listen_address is iterable and
      blackbox_exporter_web_listen_address is not mapping and
      blackbox_exporter_web_listen_address is not string %}
{%   for address in blackbox_exporter_web_listen_address %}
  --web.listen-address={{ address }}{{ " \\" if not loop.last else "" }}
{%   endfor %}
{% else %}
  --web.listen-address={{ blackbox_exporter_web_listen_address }}
{% endif %}

SyslogIdentifier=blackbox_exporter
KillMode=process
Restart=always
RestartSec=5

LockPersonality=true
NoNewPrivileges=true
MemoryDenyWriteExecute=true
PrivateTmp=true
ProtectHome=true
RemoveIPC=true
RestrictSUIDSGID=true

AmbientCapabilities=CAP_NET_RAW
{% if (ansible_facts.packages.systemd | first).version is version('232', '>=') %}
ProtectControlGroups=true
ProtectKernelModules=true
ProtectKernelTunables=yes
ProtectSystem=strict
{% else %}
ProtectSystem=full
{% endif %}

[Install]
WantedBy=multi-user.target