[Unit] Description=redlib daemon After=network.service [Service] DynamicUser=yes # Default Values #Environment=ADDRESS=0.0.0.0 #Environment=PORT=8080 # Optional Override EnvironmentFile=-/etc/redlib.conf ExecStart=/usr/bin/redlib -a ${ADDRESS} -p ${PORT} # Hardening DeviceAllow= LockPersonality=yes MemoryDenyWriteExecute=yes PrivateDevices=yes ProcSubset=pid ProtectClock=yes ProtectControlGroups=yes ProtectHome=yes ProtectHostname=yes ProtectKernelLogs=yes ProtectKernelModules=yes ProtectKernelTunables=yes ProtectProc=invisible RestrictAddressFamilies=AF_INET AF_INET6 RestrictNamespaces=yes RestrictRealtime=yes RestrictSUIDSGID=yes SystemCallArchitectures=native SystemCallFilter=@system-service SystemCallFilter=~@privileged @resources UMask=0077 [Install] WantedBy=default.target