[Unit] Description=WriteFreely After=syslog.target After=network.target After=mysqld.service After=mariadb.service [Service] User=writefreely Group=writefreely Type=simple WorkingDirectory=/var/lib/writefreely ExecStart=/usr/bin/writefreely -c /etc/writefreely/config.ini Restart=always RestartSec=2s CapabilityBoundingSet= NoNewPrivileges=true PrivateUsers=true PrivateDevices=true PrivateTmp=true ProtectHome=true ProtectSystem=strict ProtectControlGroups=yes ProtectKernelTunables=true ProtectKernelModules=yes ReadWritePaths=/var/lib/writefreely LockPersonality=true MemoryDenyWriteExecute=true RestrictRealtime=true SystemCallArchitectures=native SystemCallFilter=@system-service [Install] WantedBy=multi-user.target