[Unit]
Description=Push daemon for Nextcloud clients

[Service]
# If NC_CLIENT_PUSH_ARGS needs to be adjusted, it should be adjusted
# using a drop-in systemd file. See `man 5 systemd.unit` for details.
Environment=NC_CLIENT_PUSH_ARGS="/etc/webapps/nextcloud/config/config.php"
ExecStart=/usr/share/webapps/nextcloud/apps/notify_push/bin/ARCH/notify_push $NC_CLIENT_PUSH_ARGS
User=nextcloud
Group=nextcloud
Restart=on-failure
RestartSec=5s

# hardening options
UMask=0077
NoNewPrivileges=true
LimitNOFILE=1048576
ProtectSystem=strict
ProtectHome=true
PrivateUsers=yes
PrivateTmp=true
PrivateDevices=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=true
LockPersonality=true
MemoryDenyWriteExecute=true
RestrictRealtime=true
RestrictSUIDSGID=true
RemoveIPC=true
CapabilityBoundingSet=
AmbientCapabilities=

SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources
SystemCallArchitectures=native

[Install]
WantedBy=multi-user.target