[Unit]
Description=mpd scrobbler
Documentation=https://git.fcuny.net/fcuny/mpd-stats
ConditionFileIsExecutable=%h/workspace/go/bin/mpd-scrobbler

[Service]
ExecStart=%h/workspace/go/bin/mpd-scrobbler
Restart=on-failure

PrivateTmp=yes
ProtectSystem=strict
NoNewPrivileges=yes
ProtectHome=yes

# Prohibit access to any kind of namespacing:
RestrictNamespaces=yes

# Make cgroup file system hierarchy inaccessible:
ProtectControlGroups=yes

# Deny access to other user’s information in /proc:
ProtectProc=invisible

# Only allow access to /proc pid files, no other files:
ProcSubset=pid

# This daemon must not create any new files, but set the umask to 077 just in case.
UMask=077

# Filter dangerous system calls. The following is listed as safe basic choice
# in systemd.exec(5):
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@privileged
SystemCallFilter=~@resources
SystemCallErrorNumber=EPERM

# Deny kernel execution domain changing:
LockPersonality=yes

# Deny memory mappings that are writable and executable:
MemoryDenyWriteExecute=yes