[Unit]
Description=TimescaleDB Promscale Service
Documentation=https://github.com/timescale/promscale
Requires=network-online.target
After=network-online.target

[Service]
User=promscale
Group=promscale
EnvironmentFile=-/etc/promscale.conf
ExecStart=/usr/bin/promscale $OPTIONS
Restart=on-failure
RestartSec=5s
KillMode=mixed
KillSignal=SIGINT

# Hardening
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
PrivateTmp=true
PrivateDevices=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=true
LockPersonality=true
MemoryDenyWriteExecute=true
RestrictRealtime=true
RestrictSUIDSGID=true
RemoveIPC=true
CapabilityBoundingSet=
AmbientCapabilities=
PrivateUsers=true

SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources
SystemCallArchitectures=native

LimitNOFILE=1048576
UMask=0077

[Install]
WantedBy=multi-user.target