[Unit]
Description=Teddit Daemon
After=network.target
After=redis.service

[Service]
User=teddit
Group=teddit
Type=simple
WorkingDirectory=/opt/teddit
Restart=always
RestartSec=2s
ReadWritePaths=/opt/teddit
ExecStart=/usr/bin/node app.js
PrivateTmp=true
CapabilityBoundingSet=
NoNewPrivileges=true
LockPersonality=true
PrivateDevices=true
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectProc=noaccess
ProtectSystem=strict
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
SystemCallArchitectures=native

[Install]
WantedBy=multi-user.target