From d3b89a5beeabae416a013e6ffc46d006b2b7e4b1 Mon Sep 17 00:00:00 2001
From: Amolith <amolith@secluded.site>
Date: Sat, 8 Nov 2025 19:12:17 -0700
Subject: [PATCH] docs(contrib): add example systemd service

---
 contrib/sift.service | 48 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)
 create mode 100644 contrib/sift.service

diff --git a/contrib/sift.service b/contrib/sift.service
new file mode 100644
index 0000000000000000000000000000000000000000..1a95ea1f53325f6b86494318fd331c880457d0da
--- /dev/null
+++ b/contrib/sift.service
@@ -0,0 +1,48 @@
+[Unit]
+Description=Sift collaborative list app (Deno)
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+User=sift
+Group=sift
+Type=simple
+WorkingDirectory=/home/sift/sift
+Environment=HOME=/home/sift
+Environment=XDG_CACHE_HOME=/home/sift/.cache
+Environment=DENO_DIR=/home/sift/.cache/deno
+ExecStart=/home/sift/.deno/bin/deno run --allow-net=:8294 --allow-read=./static/,./lists.db,/home/sift/.cache/deno,/home/sift/.cache/deno/plug --allow-write=./lists.db,/home/sift/.cache/deno,/home/sift/.cache/deno/plug --allow-env --allow-ffi server.ts
+Restart=on-failure
+RestartSec=2s
+TimeoutStartSec=30s
+TimeoutStopSec=15s
+KillMode=mixed
+
+NoNewPrivileges=yes
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectSystem=strict
+ProtectHome=read-only
+ReadWritePaths=/home/sift/sift
+ReadWritePaths=/home/sift/.cache/deno
+LockPersonality=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+CapabilityBoundingSet=
+AmbientCapabilities=
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+ProtectControlGroups=yes
+UMask=0077
+RemoveIPC=yes
+PrivateMounts=yes
+ProcSubset=pid
+ProtectProc=invisible
+LimitNOFILE=16384
+
+[Install]
+WantedBy=multi-user.target