[Unit]
Description=PostgreSQL 14 database server
After=network.target

[Service]
Type=notify
TimeoutSec=120
User=postgres
Group=postgres

Environment=PGROOT=/var/lib/postgres
Environment=PATH=/opt/postgresql14/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Environment=LD_LIBRARY_PATH=/opt/postgresql14/lib

SyslogIdentifier=postgres
PIDFile=/var/lib/postgres/data14/postmaster.pid
RuntimeDirectory=postgresql
RuntimeDirectoryMode=755

ExecStartPre=/opt/postgresql14/bin/postgresql-check-db-dir ${PGROOT}/data14
ExecStart=/opt/postgresql14/bin/postgres -D ${PGROOT}/data14
ExecStartPost=/usr/bin/echo "Before using, source /opt/postgresql14/bin/pgenv.sh to set PostgreSQL environment"
ExecReload=/bin/kill -HUP ${MAINPID}
KillMode=mixed
KillSignal=SIGINT

# Due to PostgreSQL's use of shared memory, OOM killer is often overzealous in
# killing Postgres, so adjust it downward
OOMScoreAdjust=-200

# Additional security-related features
PrivateTmp=true
ProtectHome=true
ProtectSystem=full
NoNewPrivileges=true
ProtectControlGroups=true
ProtectKernelModules=true
ProtectKernelTunables=true
PrivateDevices=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=true
RestrictRealtime=true
SystemCallArchitectures=native

[Install]
WantedBy=multi-user.target