[Unit]
Description=Go-Livepeer Orchestrator and Transcoder service
After=network.target
Wants=network-online.target

[Service]
User=livepeer
Group=livepeer
Type=simple
EnvironmentFile=/etc/go-livepeer/environment

ExecStart=/usr/bin/livepeer $ARGS

Restart=on-failure
RestartSec=1

ProtectHome=yes
ProtectClock=yes
PrivateDevices=yes
ProtectHostname=yes
NoNewPrivileges=yes
ProtectSystem=strict
RestrictRealtime=yes
RestrictSUIDSGID=yes
ProtectKernelLogs=yes
RestrictNamespaces=yes
ProtectKernelModules=yes
ProtectControlGroups=yes
ProtectKernelTunables=yes
SystemCallErrorNumber=EPERM
ReadOnlyPaths=/etc/go-livepeer
SystemCallArchitectures=native
SystemCallFilter=@system-service
ReadWritePaths=/var/cache/livepeer /var/lib/livepeer

[Install]
WantedBy=default.target