[Unit]
Description=DarkHTTP Daemon
After=network.target

[Service]
ExecStart=/darkhttpd /data --port {{ darkhttpd.port }} --addr {{ ansible_ens10.ipv4.address }}
Restart=always
DynamicUser=true
ProtectSystem=strict
TemporaryFileSystem=/:ro
BindReadOnlyPaths=/usr /lib /lib64 {{ darkhttpd.servepath }}:/data
RootDirectory={{ darkhttpd.path }}
ProtectSystem=strict
PrivateUsers=true
NoNewPrivileges=yes
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
MemoryDenyWriteExecute=yes
LockPersonality=yes
PrivateTmp=yes
PrivateDevices=yes

[Install]
WantedBy=multi-user.target