[Unit]
Description=Vaultwarden, password manager server writen in Rust
Documentation=https://github.com/dani-garcia/vaultwarden

After=network.target
Wants=network.target

After=mariadb.service
Wants=mariadb.service

After=mysqld.service
Wants=mysqld.service

After=postgresql-12.service postgresql-13.service postgresql-14.service postgresql-15.service postgresql-16.service
Wants=postgresql-12.service postgresql-13.service postgresql-14.service postgresql-15.service postgresql-16.service

[Service]
EnvironmentFile=/etc/%N.env
ExecStart=/usr/bin/%N
WorkingDirectory=/var/lib/%N

User=%N
Group=%N
UMask=0027

# Sandboxing and hardening systemd.exec(5)
PrivateUsers=yes
ProtectClock=yes
ProtectHostname=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes
ProtectControlGroups=yes
RestrictNamespaces=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
RestrictSUIDSGID=yes
RemoveIPC=yes
RestrictRealtime=yes
PrivateTmp=true
PrivateDevices=true
ProtectHome=true

# set entire file system to read only except following ReadWritePaths
ProtectSystem=strict
ReadWritePaths=/var/lib/%N /var/log/%N.log

# Set reasonable connection and process limits
LimitNOFILE=1048576
LimitNPROC=64

[Install]
WantedBy=multi-user.target