[Unit]
Description=Graylog management server
After=network.target mongodb.service
Requires=mongodb.service

[Service]
DynamicUser=true
PIDFile=$RUNTIME_DIRECTORY/server.pid
ExecStart=/usr/bin/java -Djava.net.preferIPv6Addresses=true -Djava.library.path=/usr/lib/graylog/lib/sigar -jar /usr/lib/graylog/server.jar server -f ${CONFIGURATION_DIRECTORY}/server/server.conf -p ${RUNTIME_DIRECTORY}/server.pid
Restart=on-failure

StateDirectory=graylog
RuntimeDirectory=graylog
ConfigurationDirectory=graylog

NoNewPrivileges=yes
CapabilityBoundingSet=
SystemCallArchitectures=native
SystemCallFilter=@system-service

PrivateDevices=yes
PrivateUsers=yes
PrivateTmp=yes

ProtectSystem=strict
ProtectClock=yes
ProtectHome=true
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes

RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes

[Install]
WantedBy=multi-user.target