sift.service

 1[Unit]
 2Description=Sift collaborative list app (Deno)
 3After=network-online.target
 4Wants=network-online.target
 5
 6[Service]
 7User=sift
 8Group=sift
 9Type=simple
10WorkingDirectory=/home/sift/sift
11Environment=HOME=/home/sift
12Environment=XDG_CACHE_HOME=/home/sift/.cache
13Environment=DENO_DIR=/home/sift/.cache/deno
14ExecStart=/home/sift/.deno/bin/deno run --allow-net=:8294 --allow-read=./static/,./lists.db,/home/sift/.cache/deno,/home/sift/.cache/deno/plug --allow-write=./lists.db,/home/sift/.cache/deno,/home/sift/.cache/deno/plug --allow-env --allow-ffi server.ts
15Restart=on-failure
16RestartSec=2s
17TimeoutStartSec=30s
18TimeoutStopSec=15s
19KillMode=mixed
20
21NoNewPrivileges=yes
22PrivateTmp=yes
23PrivateDevices=yes
24ProtectSystem=strict
25ProtectHome=read-only
26ReadWritePaths=/home/sift/sift
27ReadWritePaths=/home/sift/.cache/deno
28LockPersonality=yes
29RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
30RestrictNamespaces=yes
31RestrictRealtime=yes
32RestrictSUIDSGID=yes
33SystemCallArchitectures=native
34CapabilityBoundingSet=
35AmbientCapabilities=
36ProtectKernelTunables=yes
37ProtectKernelModules=yes
38ProtectKernelLogs=yes
39ProtectControlGroups=yes
40UMask=0077
41RemoveIPC=yes
42PrivateMounts=yes
43ProcSubset=pid
44ProtectProc=invisible
45LimitNOFILE=16384
46
47[Install]
48WantedBy=multi-user.target