[Unit] Description=Prometheus blackbox Exporter After=network.target [Service] User=blackbox_exporter Group=blackbox_exporter ExecStart=/usr/bin/blackbox_exporter --config.file="/etc/blackbox_exporter/blackbox.yml" ExecReload=/bin/kill -HUP $MAINPID DynamicUser=true NoNewPrivileges=true ProtectSystem=full ProtectKernelModules=true ProtectKernelTunables=true PrivateTmp=true LockPersonality=true ProtectHostname=true ProtectHome=true ProtectControlGroups=true ProtectKernelLogs=true PrivateDevices=true RestrictRealtime=true CapabilityBoundingSet= MemoryDenyWriteExecute=true CapabilityBoundingSet=CAP_NET_RAW AmbientCapabilities=CAP_NET_RAW [Install]