[Unit]
StartLimitIntervalSec=0

[Service]
ExecStart=
ExecStart=/usr/sbin/grafana-server --config=/etc/grafana/grafana.ini --pidfile=/run/grafana/grafana-server.pid --packaging=deb cfg:default.paths.logs=/var/log/grafana cfg:default.paths.data=/tmp/data cfg:default.paths.plugins=/tmp/plugins cfg:default.paths.provisioning=/tmp/provision
# TODO: Store or provision a set of plugins, prefferably the latter

Restart=on-failure
RestartSec=10

ProtectSystem=strict
PrivateUsers=true
NoNewPrivileges=yes
TemporaryFileSystem=/:ro
BindReadOnlyPaths=/etc/grafana /var/lib/grafana/plugins /usr /lib /lib64
LogsDirectory=grafana
RuntimeDirectory=grafana
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
MemoryDenyWriteExecute=yes
LockPersonality=yes
PrivateTmp=yes
PrivateDevices=yes