From 1d5d47c2f799717d5786d66a491bf7f4bfe38977 Mon Sep 17 00:00:00 2001
From: Leonardo Bishop <me@leonardobishop.net>
Date: Wed, 6 Aug 2025 22:46:48 +0100
Subject: Add service file

---
 .gitignore        |  2 +-
 scrapbook.service | 35 +++++++++++++++++++++++++++++++++++
 2 files changed, 36 insertions(+), 1 deletion(-)
 create mode 100644 scrapbook.service

diff --git a/.gitignore b/.gitignore
index 813091e..21b23b4 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,5 +2,5 @@
 !.gitignore
 !PKGBUILD
 !scrapbook-sysusers.conf
-!scrapbook.conf
+!scrapbook.service
 !config.toml
\ No newline at end of file
diff --git a/scrapbook.service b/scrapbook.service
new file mode 100644
index 0000000..af6379d
--- /dev/null
+++ b/scrapbook.service
@@ -0,0 +1,35 @@
+[Unit]
+Description=scrapbook server
+
+[Service]
+User=scrapbook
+Group=scrapbook
+Restart=always
+ExecStart=/usr/bin/scrapbook
+
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+NoNewPrivileges=true
+SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
+
+ProtectSystem=strict
+ProtectHome=true
+PrivateTmp=true
+PrivateDevices=true
+TemporaryFileSystem=/var:ro /etc:ro
+BindReadOnlyPaths=/etc/scrapbook
+BindPaths=/var/lib/scrapbook
+NoExecPaths=/
+ExecPaths=/usr/bin/scrapbook
+
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+ProtectClock=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+
+[Install]
+WantedBy=multi-user.target
-- 
cgit v1.2.3-70-g09d2