[Unit]
Description=Gosvc %i Web Service
After=nginx.service

[Service]
Type=simple
ExecStart=/var/www/gosvc/%i
EnvironmentFile=-/var/www/gosvc/%i.env
#Restart=?? What should we do to make this more robust?
StandardInput=socket
StandardOutput=journal
StandardError=journal
ProcSubset=pid
DynamicUser=true
#CapabilityBoundingSet=??
NoNewPrivileges=true
LimitNOFILE=1024
ProtectSystem=strict
ProtectHome=true
StateDirectory=gosvc-%i
StateDirectoryMode=0700
PrivateTmp=true
PrivateDevices=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
RestrictAddressFamilies=AF_INET AF_INET6
LockPersonality=true
RestrictNamespaces=true
MemoryDenyWriteExecute=true
RestrictRealtime=true
RestrictSUIDSGID=true
RemoveIPC=true
SystemCallFilter=@basic-io @file-system @io-event @ipc @network-io @process @signal @sync @timer mprotect madvise mremap brk copy_file_range fadvise64 fadvise64_64 flock getcpu getrandom readdir sched_yield sched_getaffinity sendfile sendfile64 splice tee umask sysinfo uname ioctl