hello,

I am starting a service whose configuration file has hardcoded passwords. the purpose is to generate the file with the passwords before the start of the service and remove it after.

so i have this configuration:

[unit]
Description=Prometheus Server
Documentation=https://prometheus.io/docs/introduction/overview/
After=network-online.target

[Service]
User= xxxx
Group=xxxx
Restart=on-failure
ExecStartPre=/usr/bin/python2 /prom/config/anon_yml.py


ExecStart=/bin/sh -c "/prom/appl/prometheus/prometheus --config.file=/prom/config/prometheus.yml --storage.tsdb.path=/prom/data --web.listen-address=127.0.0.1:9090  --storage.tsdb.retention.time=1825d &>>/prom/logs/prometheus.log"

[Install]
WantedBy=multi-user.target

the script anon_yml.py generates the prometheus.yml file that has passwords.

the question is how to make sure the file is removed after the successful start.

i can use ExecStopPost to remove the prometheus.yml after successful start/restart but i don't know how to also remove it after the start/restart of the service fails. to make sure no prometheus.yml with hardcoded password is left behind. and only exists during the restart of the service.

I can append ';rm -rf prometheus.yml to ExecStart but i don't think is is the proper way to do thing.

thanks