[Unit]
Description=Vaultwarden Server (Rust Edition)
Documentation=https://github.com/dani-garcia/vaultwarden
After=network.target

[Service]
# The user/group vaultwarden is run under. the working directory (see below) should allow write and read access to this user/group
User=__APP__
Group=__APP__
WorkingDirectory=__INSTALL_DIR__/live/
ReadWriteDirectories=__INSTALL_DIR__/live/ __DATA_DIR__/ /var/log/__APP__/
EnvironmentFile=__INSTALL_DIR__/live/.env
ExecStart=__INSTALL_DIR__/live/vaultwarden

# Set reasonable connection and process limits
LimitNOFILE=1048576
LimitNPROC=64

# Sandboxing options to harden security
# Depending on specificities of your service/app, you may need to tweak these 
# .. but this should be a good baseline
# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
PrivateTmp=yes
PrivateDevices=yes
ProtectHome=false
ProtectSystem=strict

[Install]
WantedBy=multi-user.target