{{ ansible_managed | comment }}

[Unit]
Description=Prometheus Pushgateway
After=network-online.target

[Service]
Type=simple
User={{ pushgateway_system_user }}
Group={{ pushgateway_system_group }}
ExecStart={{ pushgateway_binary_install_dir }}/pushgateway \
{% if pushgateway_tls_server_config | length > 0 or pushgateway_http_server_config | length > 0 or pushgateway_basic_auth_users | length > 0 %}
    {% if pushgateway_version is version('1.5.0', '>=') %}
    '--web.config.file={{ pushgateway_config_dir }}/web_config.yml' \
    {% else %}
    '--web.config={{ pushgateway_config_dir }}/web_config.yml' \
    {% endif %}
{% endif %}
{% if pushgateway_version is version('1.5.0', '>=') and
      pushgateway_web_listen_address is iterable and
      pushgateway_web_listen_address is not mapping and
      pushgateway_web_listen_address is not string %}
{%   for address in pushgateway_web_listen_address %}
    '--web.listen-address={{ address }}' \
{%   endfor %}
{% else %}
    '--web.listen-address={{ pushgateway_web_listen_address }}' \
{% endif %}
    '--web.telemetry-path={{ pushgateway_web_telemetry_path }}'

SyslogIdentifier=pushgateway
Restart=always
RestartSec=1
StartLimitInterval=0

{% set ns = namespace(protect_home = 'yes') %}
{% for m in ansible_mounts if m.mount.startswith('/home') %}
{%   set ns.protect_home = 'read-only' %}
{% endfor %}
ProtectHome={{ ns.protect_home }}
NoNewPrivileges=yes

{% if (ansible_facts.packages.systemd | first).version is version('232', '>=') %}
ProtectSystem=strict
ProtectControlGroups=true
ProtectKernelModules=true
ProtectKernelTunables=yes
{% else %}
ProtectSystem=full
{% endif %}

[Install]
WantedBy=multi-user.target