[Unit]
Description=Trilium server daemon
After=syslog.target network.target

[Service]
User=triliumserver
Group=triliumserver
Type=simple
Environment=TRILIUM_DATA_DIR=/var/lib/trilium-server
Environment=TRILIUM_CONFIG_INI_PATH=/etc/trilium-server.conf
Environment=TRILIUM_LOG_DIR=/var/log/trilium-server
ExecStart=/usr/bin/trilium-server
WorkingDirectory=/var/lib/trilium-server

# Sandboxing
ProtectProc=invisible
ProtectSystem=strict
ReadWritePaths=/var/lib/trilium-server /var/log/trilium-server
ProtectHome=yes
PrivateTmp=yes
PrivateDevices=yes
PrivateIPC=yes
PrivateUsers=yes
ProtectHostname=yes
ProtectClock=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes
ProtectControlGroups=yes
RestrictNamespaces=yes
LockPersonality=yes
RestrictSUIDSGID=yes
RemoveIPC=yes
NoNewPrivileges=yes
SystemCallArchitectures=native

TimeoutStopSec=20
# KillMode=process leads to error, according to https://www.freedesktop.org/software/systemd/man/systemd.kill.html
Restart=always

[Install]
WantedBy=multi-user.target