[Unit]
Description=prometheus
After=network.target iptables.service
# Location of this file would be /etc/systemd/system/x.service (on redhat)

[Service]
Type=simple
#User=myuser
#Group=myuser
ExecStart=/prometheus --config.file=prometheus.yml
Restart=always
RestartSec=1m
IPAccounting=yes
IPAddressDeny=any
IPAddressAllow=127.0.0.0/8

# Hardening
NoNewPrivileges=true
PrivateTmp=true
PrivateMounts=true
PrivateDevices=true
ProtectSystem=full
ProtectHostname=true
ProtectKernelTunables=true
ProcSubset=pid
RestrictSUIDSGID=true
PrivateUsers=true
RootDirectory=/srv/prometheus
BindReadOnlyPaths=/etc/resolv.conf
InaccessiblePaths=/bin /boot /lib /lib64 /media /mnt /opt /root /sbin /usr /var
StandardOutput=append:/srv/prometheus/stdout.log
StandardError=inherit

[Install]
WantedBy=multi-user.target