[Unit]
Description=Matrix Media Repo
RequiresMountsFor=/var/lib/private/matrix-media-repo
After=network.target

[Service]
OOMPolicy=stop
OOMScoreAdjust=10

DynamicUser=yes
ExecStartPre=/usr/bin/cp "/etc/matrix-media-repo.yaml" "/var/lib/private/matrix-media-repo/config.yaml"
ExecStart=/usr/lib/matrix-media-repo/media_repo -config /var/lib/private/matrix-media-repo/config.yaml
Restart=always
StateDirectory=matrix-media-repo
WorkingDirectory=/var/lib/private/matrix-media-repo
#CPUQuota=35%
CPUWeight=80
RestartSec=1s

ProtectProc=invisible
PrivateUsers=yes
RestrictNamespaces=yes
UMask=077

SystemCallFilter=~@clock
SystemCallFilter=~@cpu-emulation
SystemCallFilter=~@debug
SystemCallFilter=~@module
#SystemCallFilter=~@mount
SystemCallFilter=~@obsolete
SystemCallFilter=~@raw-io
SystemCallFilter=~@reboot
SystemCallFilter=~@swap

CapabilityBoundingSet=
AmbientCapabilities=

ProtectSystem=strict
ProtectHome=yes
PrivateTmp=yes
PrivateDevices=yes
ProtectHostname=yes
ProtectClock=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes
ProtectControlGroups=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
RemoveIPC=yes
SystemCallArchitectures=native

[Install]
WantedBy=multi-user.target