[Unit]
Description=Vaultwarden - Unofficial Bitwarden compatible server written in Rust
Documentation=https://github.com/dani-garcia/vaultwarden
After=network.target mariadb.service mysqld.service postgresql.service

[Service]
User=vaultwarden
Group=vaultwarden
Environment="WEB_VAULT_FOLDER=/usr/share/vaultwarden-web-vault/htdocs"
EnvironmentFile=/etc/vaultwarden.env
ExecStart=/usr/bin/vaultwarden

LimitNOFILE=1048576
LimitNPROC=256

PrivateTmp=true
PrivateDevices=true
ProtectHome=true
ProtectSystem=strict
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectControlGroups=yes

RestrictNamespaces=yes

SystemCallArchitectures=native
SystemCallFilter=@system-service
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6

WorkingDirectory=/var/lib/vaultwarden
ReadWriteDirectories=/var/lib/vaultwarden
# Allow vaultwarden to bind ports in the range of 0-1024
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target