[Unit]
Description=node-red
After=network.target
After=mosquitto.service

[Service]
ExecStart=npm start
WorkingDirectory=/usr/lib64/node_modules/node-red/packages/node_modules/node-red/
StandardOutput=inherit
StandardError=inherit
Restart=always
User=node-red

CapabilityBoundingSet=
NoNewPrivileges=true
RemoveIPC=true
LockPersonality=true

ProtectControlGroups=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectHostname=true
ProtectProc=noaccess
ProtectClock=yes
DeviceAllow=char-* rw

RestrictRealtime=true
RestrictSUIDSGID=true
RestrictNamespaces=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6

ProtectSystem=strict
ProtectHome=true
PrivateTmp=true
ReadWritePaths=/var/lib/node-red

SystemCallArchitectures=native
SystemCallFilter=@system-service @pkey

[Install]
WantedBy=multi-user.target