[Unit]
Description=High-performance, cost-effective and scalable time series database, long-term remote storage for Prometheus
Documentation=https://docs.victoriametrics.com/
After=network-online.target

[Service]
User=victoria-metrics
Group=victoria-metrics
Type=simple
StartLimitBurst=5
StartLimitInterval=0
Restart=on-failure
RestartSec=1
ExecStart=/usr/bin/victoria-metrics -storageDataPath=/var/lib/victoria-metrics
ExecStop=/bin/kill -s SIGTERM $MAINPID

# hardening options
UMask=0077
NoNewPrivileges=true
LimitNOFILE=1048576
ProtectSystem=strict
ProtectHome=true
PrivateUsers=yes
PrivateTmp=true
PrivateDevices=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=true
LockPersonality=true
MemoryDenyWriteExecute=true
RestrictRealtime=true
RestrictSUIDSGID=true
RemoveIPC=true
CapabilityBoundingSet=
AmbientCapabilities=
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources
SystemCallArchitectures=native

[Install]
WantedBy=multi-user.target