[Unit]
Description=Podbringer web server
After=network.target
 
[Service]
Type=simple
 
AmbientCapabilities=
CapabilityBoundingSet=
DynamicUser=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=strict
PrivateDevices=yes
PrivateMounts=yes
PrivateTmp=yes
PrivateUsers=yes
RemoveIPC=yes
RestrictAddressFamilies=AF_INET AF_INET6
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallErrorNumber=EPERM
UMask=0077
 
ExecStart=/usr/sbin/podbringer
Restart=on-failure
RestartSec=10
StartLimitInterval=1m
StartLimitBurst=5

Environment="ROCKET_CONFIG=/etc/podbringer.toml"
Environment="ROCKET_TEMPLATE_DIR=/usr/share/podbringer/templates"
 
[Install]
WantedBy=multi-user.target