[Unit]
Description=Solanum IRCd

[Service]
Type=forking
User=solanum
ExecStart=/home/solanum/ircd/bin/solanum -pidfile /run/solanum/solanum.pid
ExecReload=/usr/bin/kill -HUP $MAINPID
NoNewPrivileges=true
ProtectSystem=strict
RuntimeDirectory=solanum
ReadWritePaths=/home/solanum/ircd/logs
PrivateDevices=true
Restart=always
RestartSec=5
RemoveIPC=true
CapabilityBoundingSet=
ProtectClock=true
ProtectKernelLogs=true
ProtectControlGroups=true
ProtectKernelModules=true
SystemCallArchitectures=native
MemoryDenyWriteExecute=true
RestrictNamespaces=true
RestrictSUIDSGID=true
ProtectHostname=true
LockPersonality=true
ProtectKernelTunables=true
RestrictAddressFamilies=AF_INET AF_INET6
RestrictRealtime=true
ProtectProc=ptraceable
ProcSubset=pid
ProtectHome=tmpfs
BindPaths=/home/solanum/ircd
PrivateUsers=true
PrivateTmp=true
SystemCallFilter=@system-service
SystemCallFilter=~@resources @privileged
UMask=0077

[Install]
WantedBy=multi-user.target