[Unit] Description=libreddit daemon After=network.service [Service] DynamicUser=yes # Default Values Environment=ADDRESS=0.0.0.0 Environment=PORT=8080 # Optional Override EnvironmentFile=-/etc/libreddit.conf ExecStart=/usr/bin/libreddit -a ${ADDRESS} -p ${PORT} # Hardening DeviceAllow= LockPersonality=yes MemoryDenyWriteExecute=yes PrivateDevices=yes ProcSubset=pid ProtectClock=yes ProtectControlGroups=yes ProtectHome=yes ProtectHostname=yes ProtectKernelLogs=yes ProtectKernelModules=yes ProtectKernelTunables=yes ProtectProc=invisible RestrictAddressFamilies=AF_INET AF_INET6 RestrictNamespaces=yes RestrictRealtime=yes RestrictSUIDSGID=yes SystemCallArchitectures=native SystemCallFilter=@system-service ~@privileged ~@resources UMask=0077 [Install] WantedBy=default.target