[Unit]
Description=Paperless webserver service
After=network.target
Requires=redis.service
PartOf=paperless.target

[Service]
User=paperless
Group=paperless
EnvironmentFile=/etc/paperless.conf
ExecStart=/var/lib/paperless/venv/bin/gunicorn -c /usr/share/paperless/gunicorn.conf.py paperless.asgi:application
Restart=on-abort

PrivateDevices=true
ProtectHome=true
ProtectSystem=strict
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectControlGroups=yes

RestrictNamespaces=yes

SystemCallArchitectures=native
SystemCallFilter=@system-service
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6

WorkingDirectory=/usr/share/paperless/src
ReadWriteDirectories=/var/lib/paperless /tmp /var/tmp
# Allow to bind ports in the range of 0-1024
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE

[Install]
WantedBy=paperless.target