[Unit]
Description=Favoritter - Self-hosted favorites web app
After=network.target

[Service]
Type=simple
User=favoritter
Group=favoritter
EnvironmentFile=/etc/favoritter/favoritter.env
ExecStart=/usr/bin/favoritter
Restart=on-failure
RestartSec=5

# Hardening — ProtectSystem=strict makes the filesystem read-only
# except for ReadWritePaths. If you change FAVORITTER_UPLOAD_DIR or
# FAVORITTER_DB_PATH to a location outside /var/lib/favoritter, add
# that path to ReadWritePaths.
NoNewPrivileges=yes
ProtectSystem=strict
ProtectHome=yes
ReadWritePaths=/var/lib/favoritter
PrivateTmp=yes
ProtectKernelTunables=yes
ProtectControlGroups=yes
RestrictSUIDSGID=yes

[Install]
WantedBy=multi-user.target