[Unit]
Description=Scrutiny web server
After=network-online.target

[Service]
Type=simple
User=__APP__
Group=__APP__
WorkingDirectory=__INSTALL_DIR__
LogsDirectory=__APP__
StateDirectory=__APP__
ExecStart=__INSTALL_DIR__/bin/scrutiny-web-linux-amd64 start --config __INSTALL_DIR__/config/scrutiny.yaml
Restart=always
RestartSec=10s
StandardOutput=append:/var/log/__APP__/__APP__-web-server.log
StandardError=inherit

NoNewPrivileges=yes
ProtectHome=yes
#ProtectSystem=strict
PrivateTmp=yes
PrivateDevices=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes
ProtectControlGroups=yes
ProtectHostname=yes
ProtectClock=yes
RestrictAddressFamilies=AF_INET AF_INET6
RestrictNamespaces=true
LockPersonality=true
MemoryDenyWriteExecute=true
RestrictRealtime=true
RestrictSUIDSGID=true
RemoveIPC=true
CapabilityBoundingSet=

[Install]
WantedBy=multi-user.target