[Unit]
Description=__APP__: personal finance manager
After=syslog.target network.target

[Service]
Type=simple
User=__APP__
Group=__APP__
WorkingDirectory=__INSTALL_DIR__/
Environment="__YNH_NODE_LOAD_PATH__"
Environment=NODE_ENV=production
ExecStart=__INSTALL_DIR__/bin/kresus.js --config __INSTALL_DIR__/config.ini
Restart=always
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=__APP__
# /var/log is implied
LogsDirectory=__APP__

AmbientCapabilities=
CapabilityBoundingSet=
LockPersonality=true
#Not compatible with NodeJS
#MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
# PrivateUsers=true does not work on Debian 11
PrivateUsers=false
ProtectClock=true
ProtectControlGroups=true
# See https://github.com/systemd/systemd/issues/7153
ProtectHome=false
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectProc=invisible
ProtectSystem=strict
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
#SecureBits=noroot-locked
SystemCallArchitectures=native
SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap
SystemCallErrorNumber=EPERM
ReadWritePaths=__DATA_DIR__


[Install]
WantedBy=multi-user.target