[Unit] Description=__APP__ daemon After=network.target [Service] Type=simple Environment="PORT=__PORT__" Environment="__YNH_NODE_LOAD_PATH__" User=__APP__ Group=__APP__ ExecStart=/bin/sh -c ' node http/server.jst' WorkingDirectory=__FINALPATH__/ StandardOutput=syslog StandardError=syslog SyslogIdentifier=__APP__ Restart=always ; Some security directives. ; Use private /tmp and /var/tmp folders inside a new file system namespace, ; which are discarded after the process stops. PrivateTmp=true ; Mount /usr, /boot, and /etc as read-only for processes invoked by this service. ProtectSystem=full ; Sets up a new /dev mount for the process and only adds API pseudo devices ; like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled ; by default because it may not work on devices like the Raspberry Pi. PrivateDevices=false ; Ensures that the service process and all its children can never gain new ; privileges through execve(). NoNewPrivileges=true ; This makes /home, /root, and /run/user inaccessible and empty for processes invoked ; by this unit. Make sure that you do not depend on data inside these folders. ProtectHome=false ; Drops the sys admin capability from the daemon. CapabilityBoundingSet=~CAP_SYS_ADMIN [Install] WantedBy=multi-user.target