[Unit]
Description=Prometheus AlertManager
Documentation=https://github.com/prometheus/alertmanager/blob/main/README.md
After=network-online.target
Wants=network-online.target

[Service]
Type=exec
Environment=CLUSTER_LISTEN_ADDRESS=
Environment=WEB_LISTEN_ADDRESS=[::1]:9093
EnvironmentFile=-/etc/sysconfig/alertmanager
ExecStart=/usr/sbin/alertmanager \
	--config.file=/etc/prometheus/alertmanager.yml \
	--cluster.listen-address=${CLUSTER_LISTEN_ADDRESS} \
	--web.listen-address=${WEB_LISTEN_ADDRESS}
ExecReload=/bin/kill -HUP $MAINPID
Restart=on-failure
User=alertmanager
StateDirectory=alertmanager
WorkingDirectory=/var/lib/alertmanager

CapabilityBoundingSet=
DeviceAllow=
DevicePolicy=closed
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateDevices=yes
PrivateUsers=yes
PrivateTmp=yes
ProcSubset=pid
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectProc=invisible
ProtectSystem=strict
RestrictAddressFamilies=AF_INET AF_INET6
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources
UMask=0027

[Install]
WantedBy=multi-user.target