From 8a4600c64fe200796dbc44e8977ada40b3609359 Mon Sep 17 00:00:00 2001
From: Emelia Smith <ThisIsMissEm@users.noreply.github.com>
Date: Sat, 21 Jun 2025 17:23:30 +0200
Subject: [PATCH] Add systemd service file for prometheus exporter

---
 dist/mastodon-prometheus-exporter.service | 51 +++++++++++++++++++++++
 1 file changed, 51 insertions(+)
 create mode 100644 dist/mastodon-prometheus-exporter.service

diff --git a/dist/mastodon-prometheus-exporter.service b/dist/mastodon-prometheus-exporter.service
new file mode 100644
index 00000000000..b8e0fdf5278
--- /dev/null
+++ b/dist/mastodon-prometheus-exporter.service
@@ -0,0 +1,51 @@
+[Unit]
+Description=mastodon-prometheus-exporter
+After=network.target
+
+[Service]
+Type=simple
+User=mastodon
+WorkingDirectory=/home/mastodon/live
+Environment="LD_PRELOAD=libjemalloc.so"
+ExecStart=/home/mastodon/.rbenv/shims/bundle exec bin/prometheus_exporter -p 9394 -b 127.0.0.1 --prefix 'mastodon_'
+ExecReload=/bin/kill -SIGUSR1 $MAINPID
+TimeoutSec=15
+Restart=always
+# Proc filesystem
+ProcSubset=pid
+ProtectProc=invisible
+# Capabilities
+CapabilityBoundingSet=
+# Security
+NoNewPrivileges=true
+# Sandboxing
+ProtectSystem=strict
+PrivateTmp=true
+PrivateDevices=true
+PrivateUsers=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectControlGroups=true
+RestrictAddressFamilies=AF_INET
+RestrictAddressFamilies=AF_INET6
+RestrictAddressFamilies=AF_NETLINK
+RestrictAddressFamilies=AF_UNIX
+RestrictNamespaces=true
+LockPersonality=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+RemoveIPC=true
+PrivateMounts=true
+ProtectClock=true
+# System Call Filtering
+SystemCallArchitectures=native
+SystemCallFilter=~@cpu-emulation @debug @keyring @ipc @mount @obsolete @privileged @setuid
+SystemCallFilter=@chown
+SystemCallFilter=pipe
+SystemCallFilter=pipe2
+ReadWritePaths=/home/mastodon/live
+
+[Install]
+WantedBy=multi-user.target