File rspamd.service of Package rspamd-hardened

[Unit]
Description=rapid spam filtering system
After=nss-lookup.target network-online.target valkey.service
Documentation=https://rspamd.com/doc/

[Service]
DynamicUser=true
User=rspamd
Group=rspamd
PrivateUsers=true
CapabilityBoundingSet=
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
RestrictNamespaces=true
PrivateDevices=true
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=yes
ProtectProc=invisible
ProcSubset=pid
SystemCallArchitectures=native
RestrictRealtime=true
LockPersonality=true
ProtectHostname=true
SystemCallFilter=@system-service
SystemCallFilter=~@resources @privileged
UMask=0066
ConfigurationDirectory=rspamd
RuntimeDirectory=rspamd
StateDirectory=rspamd
LogsDirectory=rspamd
LimitNOFILE=1048576
NonBlocking=true
ExecStart=/usr/bin/rspamd -c /etc/rspamd/rspamd.conf -f
ExecReload=/usr/bin/kill -HUP $MAINPID
Restart=always

[Install]
WantedBy=multi-user.target