[Unit]
Description=Hound Code Search and Indexing Daemon
Documentation=https://github.com/hound-search/hound
Requires=network-online.target
After=network-online.target

[Service]
User=hound
Group=hound
WorkingDirectory=/var/lib/hound
ExecStart=/usr/bin/houndd
Restart=always
RestartSec=30

# Hardening
ReadWritePaths=/var/lib/hound
NoNewPrivileges=true
LimitNOFILE=1048576
UMask=0077
ProtectSystem=full
ProtectHome=true
PrivateUsers=yes
PrivateTmp=true
PrivateDevices=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
RestrictAddressFamilies=AF_INET AF_INET6
RestrictNamespaces=true
LockPersonality=true
MemoryDenyWriteExecute=true
RestrictRealtime=true
RestrictSUIDSGID=true
RemoveIPC=true
CapabilityBoundingSet=
AmbientCapabilities=
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources
SystemCallArchitectures=native

[Install]
WantedBy=multi-user.target