[Unit]
Description=Sift collaborative list app (Deno)
After=network-online.target
Wants=network-online.target

[Service]
User=sift
Group=sift
Type=simple
WorkingDirectory=/home/sift/sift
Environment=HOME=/home/sift
Environment=XDG_CACHE_HOME=/home/sift/.cache
Environment=DENO_DIR=/home/sift/.cache/deno
ExecStart=/home/sift/.deno/bin/deno run --allow-net=:8294 --allow-read=./static/,./lists.db,/home/sift/.cache/deno,/home/sift/.cache/deno/plug --allow-write=./lists.db,/home/sift/.cache/deno,/home/sift/.cache/deno/plug --allow-env --allow-ffi server.ts
Restart=on-failure
RestartSec=2s
TimeoutStartSec=30s
TimeoutStopSec=15s
KillMode=mixed

NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
ProtectSystem=strict
ProtectHome=read-only
ReadWritePaths=/home/sift/sift
ReadWritePaths=/home/sift/.cache/deno
LockPersonality=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallArchitectures=native
CapabilityBoundingSet=
AmbientCapabilities=
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes
ProtectControlGroups=yes
UMask=0077
RemoveIPC=yes
PrivateMounts=yes
ProcSubset=pid
ProtectProc=invisible
LimitNOFILE=16384

[Install]
WantedBy=multi-user.target