[Unit]
Description=Pleroma
After=network.target

[Service]
ExecStartPre={{ pleroma.root }}/bin/pleroma_ctl migrate
ExecStart={{ pleroma.root }}/bin/pleroma start
User=nobody
Restart=on-failure
ProtectSystem=strict
TemporaryFileSystem=/:ro
BindPaths={{ pleroma.data }}:/pleroma-data /etc/pleroma
ProtectSystem=strict
NoNewPrivileges=yes
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
RestrictRealtime=yes
RestrictSUIDSGID=yes
MemoryDenyWriteExecute=yes
LockPersonality=yes
PrivateTmp=yes
PrivateDevices=yes

[Install]
WantedBy=multi-user.target