[Unit]
Description=gotify
After=network.target

[Service]
User=gotify
Group=gotify
Type=simple
WorkingDirectory=~
StateDirectory=gotify
StateDirectoryMode=0750
Environment=USER=gotify HOME=/var/lib/gotify
ExecStart=/usr/bin/gotify-server
PrivateUsers=true
PrivateDevices=true
PrivateTmp=true
ProtectHome=true
ProtectSystem=strict
ProtectControlGroups=yes
ProtectKernelTunables=true
ProtectKernelModules=yes
ReadWritePaths=/etc/gotify/config.yml
LockPersonality=true
MemoryDenyWriteExecute=true
RestrictRealtime=true
SystemCallArchitectures=native
SystemCallFilter=@system-service

[Install]
WantedBy=multi-user.target