[Unit]
After=network-online.target

[Service]
User=http-redirector
Environment=RUST_LOG=info
Environment=REDIRECTOR_ROUTES_FILE=/etc/http-redirector-routes.toml
Environment=ROCKET_PORT=7567
Environment=ROCKET_ADDRESS=127.0.0.1
ExecStart=/usr/bin/http-redirector

Restart=on-failure
RestartSec=5s

ReadOnlyPaths=/etc/http-redirector-routes.toml
NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
PrivateUsers=yes
PrivateMounts=yes
DevicePolicy=closed
ProtectSystem=strict
ProtectHome=yes
ProtectClock=yes
ProtectHostname=yes
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK
CapabilityBoundingSet=
SystemCallArchitectures=native
SystemCallFilter=@system-service
ProtectKernelLogs=yes
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
MemoryDenyWriteExecute=yes
LockPersonality=yes
RemoveIPC=yes


[Install]
WantedBy=multi-user.target