[Unit]
Description=scrapbook server

[Service]
User=scrapbook
Group=scrapbook
Restart=always
ExecStart=/usr/bin/scrapbook

CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
NoNewPrivileges=true
SystemCallFilter=@system-service
SystemCallErrorNumber=EPERM

ProtectSystem=strict
ProtectHome=true
PrivateTmp=true
PrivateDevices=true
TemporaryFileSystem=/var:ro /etc:ro
BindReadOnlyPaths=/etc/scrapbook
BindPaths=/var/lib/scrapbook
NoExecPaths=/
ExecPaths=/usr/bin/scrapbook

ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
ProtectClock=true
RestrictRealtime=true
RestrictSUIDSGID=true

[Install]
WantedBy=multi-user.target