ansible-collection-prometheus/roles/alertmanager/templates/alertmanager.service.j2

{%- if alertmanager_version is version_compare('0.13.0', '>=') %}
{%- set pre = '-' %}
{%- else %}
{%- set pre = '' %}
{%- endif %}
{%- if alertmanager_version is version_compare('0.15.0', '<') %}
{%- set cluster_flag = 'mesh' %}
{%- else %}
{%- set cluster_flag = 'cluster' %}
{%- endif %}
{{ ansible_managed | comment }}
[Unit]
Description=Prometheus Alertmanager
After=network-online.target
StartLimitInterval=0
StartLimitIntervalSec=0

[Service]
Type=simple
PIDFile=/var/run/alertmanager.pid
User=alertmanager
Group=alertmanager
ExecReload=/bin/kill -HUP $MAINPID
ExecStart={{ _alertmanager_binary_install_dir }}/alertmanager \
{% for option, value in (alertmanager_cluster.items() | sort) %}
{%   if option == "peers" %}
{%     for peer in value %}
  {{ pre }}-{{ cluster_flag }}.peer={{ peer }} \
{%     endfor %}
{%   else %}
  {{ pre }}-{{ cluster_flag }}.{{ option }}={{ value }} \
{%   endif %}
{% endfor %}
  {{ pre }}-config.file={{ alertmanager_config_dir }}/alertmanager.yml \
  {{ pre }}-storage.path={{ alertmanager_db_dir }} \
  {{ pre }}-web.listen-address={{ alertmanager_web_listen_address }} \
  {{ pre }}-web.external-url={{ alertmanager_web_external_url }}{% for flag, flag_value in alertmanager_config_flags_extra.items() %} \
  {{ pre }}-{{ flag }}={{ flag_value }}{% endfor %}

SyslogIdentifier=alertmanager
Restart=always
RestartSec=5

CapabilityBoundingSet=CAP_SET_UID
LockPersonality=true
NoNewPrivileges=true
MemoryDenyWriteExecute=true
PrivateTmp=true
ProtectHome=true
ReadWriteDirectories={{ alertmanager_db_dir }}
RemoveIPC=true
RestrictSUIDSGID=true

{% if (ansible_facts.packages.systemd | first).version is version('232', '>=') %}
PrivateUsers=true
ProtectControlGroups=true
ProtectKernelModules=true
ProtectKernelTunables=yes
ProtectSystem=strict
{% else %}
ProtectSystem=full
{% endif %}

[Install]
WantedBy=multi-user.target