# Changing the systemd config can be done like this:
# 1) Edit the config file: systemctl edit --full miniflux
# 2) Restart the process: systemctl restart miniflux
# All your changes can be reverted with `systemctl revert miniflux.service`.
# See https://wiki.archlinux.org/index.php/Systemd#Editing_provided_units.
# Also see https://www.freedesktop.org/software/systemd/man/systemd.service.html
# for available configuration options in this file.

[Unit]
Description=Miniflux
Documentation=man:miniflux(1) https://miniflux.app/docs/index.html
After=network.target postgresql.service

[Service]
ExecStart=/usr/bin/miniflux
User=miniflux

# Load environment variables from /etc/miniflux.conf.
EnvironmentFile=/etc/miniflux.conf

# Miniflux uses sd-notify protocol to notify about it's readiness.
Type=notify

# Enable watchdog.
WatchdogSec=60s
WatchdogSignal=SIGKILL

# Automatically restart Miniflux if it crashes.
Restart=always
RestartSec=5

# Allocate a directory at /run/miniflux for Unix sockets.
RuntimeDirectory=miniflux

# Allow Miniflux to bind to privileged ports.
AmbientCapabilities=CAP_NET_BIND_SERVICE

# Make the system tree read-only.
ProtectSystem=strict

# Allocate a separate /tmp.
PrivateTmp=yes

# Ensure the service can never gain new privileges.
NoNewPrivileges=yes

# Prohibit access to any kind of namespacing.
RestrictNamespaces=yes

# Make home directories inaccessible.
ProtectHome=yes

# Make device nodes except for /dev/null, /dev/zero, /dev/full,
# /dev/random and /dev/urandom inaccessible.
PrivateDevices=yes

# Make cgroup file system hierarchy inaccessible.
ProtectControlGroups=yes

# Deny kernel module loading.
ProtectKernelModules=yes

# Make kernel variables (e.g. /proc/sys) read-only.
ProtectKernelTunables=yes

# Deny hostname changing.
ProtectHostname=yes

# Deny realtime scheduling.
RestrictRealtime=yes

# Deny access to the kernel log ring buffer.
ProtectKernelLogs=yes

# Deny setting the hardware or system clock.
ProtectClock=yes

# Filter dangerous system calls. The following is listed as safe basic
# choice in systemd.exec(5).
SystemCallArchitectures=native

# Deny kernel execution domain changing.
LockPersonality=yes

# Deny memory mappings that are writable and executable.
MemoryDenyWriteExecute=yes

[Install]
WantedBy=multi-user.target