[Unit]
Description=Headscale controller
After=network.target

[Service]
Type=simple
ExecStart=/usr/bin/headscale serve
WorkingDirectory=/var/lib/headscale
ConfigurationDirectory=headscale
RuntimeDirectory=headscale
User=headscale
Group=headscale

DynamicUser=yes
Restart=always
RestartSec=5

CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE

# If headscale is run at ports >1024, you should apply these options via a
# drop-in file
#CapabilityBoundingSet=
#AmbientCapabilities=
#PrivateUsers=yes

NoNewPrivileges=yes

LimitNOFILE=1048576
UMask=0077

ProtectSystem=strict
ProtectHome=yes
ReadWritePaths=/var/lib/headscale /var/run/headscale
PrivateTmp=yes
PrivateDevices=yes
ProtectHostname=yes
ProtectClock=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes
ProtectControlGroups=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
RemoveIPC=yes

SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources
SystemCallArchitectures=native

[Install]
WantedBy=multi-user.target