[Unit]
Description=immich server
Documentation=https://github.com/immich-app/immich
Requires=redis.service
Requires=postgresql.service
After=network.target
Wants=network-online.target
After=network-online.target

[Service]
User=immich
Group=immich
Type=simple
Restart=on-failure

EnvironmentFile=/etc/immich.conf
Environment=NODE_ENV=production
SyslogIdentifier=immich-server
ExecStart=node dist/apps/immich/apps/immich/src/main

PrivateDevices=true
ProtectHome=true
ProtectSystem=strict
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectControlGroups=yes

RestrictNamespaces=yes

SystemCallArchitectures=native
AmbientCapabilities=
CapabilityBoundingSet=
NoNewPrivileges=yes

WorkingDirectory=/var/lib/immich/app/server
ReadWritePaths=/tmp /var/tmp /var/lib/immich/upload

[Install]
WantedBy=multi-user.target