[Unit]
Description=Inspire IRC daemon
ExecStart={{ inspircd.paths.config }}/bin/inspircd
Restart=always
DynamicUser=true
ProtectSystem=strict
TemporaryFileSystem=/:ro
BindReadOnlyPaths=/usr /lib /lib64 {{ inspircd.paths.config }}
RootDirectory={{ inspircd.paths.config }}
ProtectSystem=strict
PrivateUsers=true
NoNewPrivileges=yes
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
MemoryDenyWriteExecute=yes
LockPersonality=yes
PrivateTmp=yes
PrivateDevices=yes

[Install]
WantedBy=multi-user.target