[Unit]
Description=mediator - date polls for friend groups
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
User=mediator
Group=mediator
ExecStart=/opt/mediator/mediator -addr 127.0.0.1:8080 -data /opt/mediator/data
Restart=on-failure
RestartSec=2

# Sandboxing: the service only needs to read its binary and write its data dir.
NoNewPrivileges=true
ProtectSystem=strict
ReadWritePaths=/opt/mediator/data
ProtectHome=true
PrivateTmp=true
PrivateDevices=true
ProtectKernelTunables=true
ProtectControlGroups=true
RestrictSUIDSGID=true
LockPersonality=true
MemoryDenyWriteExecute=true
RestrictAddressFamilies=AF_INET AF_INET6
CapabilityBoundingSet=

[Install]
WantedBy=multi-user.target