{ config, lib, ... }: { options.services.prometheus.local-exporters = lib.mkOption { type = lib.types.anything; }; config.systemd.services = lib.mapAttrs (_: exporter: lib.mkMerge [ { wantedBy = ["multi-user.target"]; after = ["network.target"]; serviceConfig = { Restart = "always"; PrivateTmp = true; WorkingDirectory = "/tmp"; DynamicUser = true; LockPersonality = true; MemoryDenyWriteExecute = true; NonNewPrivileges = true; PrivateDevices = true; ProtectClock = true; ProtectControlGroups = true; ProtectHome = true; ProtectHostname = true; ProtectKernelLogs = true; ProtectKernelModules = true; ProtectKernelTunables = true; ProtectSystem = "strict"; RemoveIPC = true; RestrictAddressFamilies = lib.mkDefault ["AF_INET" "AF_INET6"]; RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; SystemCallArchitectures = "native"; UMask = "0077"; }; } (removeAttrs exporter ["port" "listenAddress"]) ]) config.services.prometheus.local-exporters; }