[Unit]
Description=Offen Fair Web Analytics
After=network.target postgresql.service mariadb.service

[Service]
Type=simple
EnvironmentFile={{ offen_root_dir }}/etc/offen.conf
User={{ offen_user }}
ExecStart={{ offen_root_dir }}/bin/offen
RuntimeDirectory=offen
Restart=always
RestartSec=5
Restart=always
NoNewPrivileges=true
PrivateDevices=true
ProtectControlGroups=true
ProtectHome=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=strict
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectClock=yes
RestrictRealtime=true
RestrictNamespaces=yes
ReadWritePaths=/run
PrivateTmp=true
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@privileged
SystemCallFilter=~@resources
SystemCallErrorNumber=EPERM
LockPersonality=yes
MemoryDenyWriteExecute=yes

[Install]
WantedBy=multi-user.target