# This file is systemd template for monit service. To
# register monit with systemd, place the monit.service file
# to the /lib/systemd/system/ directory and then start it
# using systemctl (see bellow).
#
# Enable monit to start on boot:
#         systemctl enable monit.service
#
# Start monit immediately:
#         systemctl start monit.service
#
# Stop monit:
#         systemctl stop monit.service
#
# Status:
#         systemctl status monit.service

[Unit]
Description=Pro-active monitoring utility for unix systems
After=network-online.target
Documentation=man:monit(1) https://mmonit.com/wiki/Monit/HowTo

[Service]
Type=simple
KillMode=process
ExecStart=/usr/bin/monit -I
ExecStop=/usr/bin/monit quit
ExecReload=/usr/bin/monit reload
Restart=on-abnormal
StandardOutput=null

# hardening options
#  details: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW CAP_SYS_PTRACE
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateTmp=true
ProtectClock=true
ProtectControlGroups=true
ProtectHome=yes
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=strict
ReadWritePaths=/run/ /var/lib/monit/ /var/log/
RestrictRealtime=true
RestrictSUIDSGID=true
SystemCallArchitectures=native

[Install]
WantedBy=multi-user.target