[Unit]
Description=Pushpin reverse proxy for realtime web services
After=network.target

[Service]
User=pushpin
Group=pushpin

#ExecStartPre=/usr/bin/pushpin validate /etc/pushpin/pushpin.conf
ExecStart=/usr/bin/pushpin --config /etc/pushpin/pushpin.conf
#ExecReload=/usr/bin/pushpin validate /etc/pushpin/pushpin.conf
ExecReload=/bin/kill -HUP $MAINPID
Restart=no

# capabilities
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE

# sandboxing
ProtectHostname=yes
ProtectClock=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes
ProtectSystem=strict
ProtectHome=yes
ProtectControlGroups=yes
PrivateTmp=yes
PrivateDevices=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
LockPersonality=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
NoNewPrivileges=yes
RemoveIPC=yes
RestrictNamespaces=yes

WorkingDirectory=/var/lib/pushpin
StateDirectory=pushpin
StateDirectoryMode=0750

# syscall filtering
SystemCallFilter=@system-service @debug
SystemCallArchitectures=native

# process properties
UMask=077

[Install]
WantedBy=multi-user.target