germinal/germinal.service

[Unit]
Description=Germinal, a gemini server

[Service]
ExecStart=/usr/local/share/germinal/germinal.ros
Type=simple
Restart=always
RestartSec=10
User=germinal

CapabilityBoundingSet=
DevicePolicy=closed
LockPersonality=true
NoNewPrivileges=yes
PrivateDevices=true
PrivateTmp=yes
PrivateUsers=true
ProcSubset=pid
ProtectClock=true
ProtectControlGroups=true
ProtectDevices=yes
ProtectHome=yes
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectProc=invisible
ProtectSystem=strict
RemoveIPC=true
RestrictAddressFamilies=AF_INET AF_INET6
RestrictNamespaces=yes
RestrictRealtime=true
RestrictSUIDSGID=true
UMask=177


[Install]
WantedBy=multi-user.target