[Unit]
Description=Navidrome Music Server and Streamer compatible with Subsonic/Airsonic
After=remote-fs.target network.target
AssertPathExists=__CONFIG_PATH__

[Service]
Type=simple
User=__APP__
Group=__APP__
WorkingDirectory=__CONFIG_PATH__/
ExecStart=__FINALPATH__/__APP__ --configfile "__CONFIG_PATH__/navidrome.toml"
TimeoutStopSec=20
KillMode=process
Restart=on-failure
ReadWritePaths=__CONFIG_PATH__

# See https://www.freedesktop.org/software/systemd/man/systemd.exec.html
NoNewPrivileges=yes
PrivateTmp=yes
PrivateUsers=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=yes
RestrictRealtime=yes
DevicePolicy=closed
ProtectSystem=full
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
SystemCallFilter=~@clock @debug @module @mount @obsolete @privileged @reboot @setuid @swap

# You can comment the following line if you don't have any media in /home/*.
# This will prevent navidrome from ever reading/writing anything there.
#ProtectHome=true

[Install]
WantedBy=multi-user.target