[Unit]
Description=Unofficial Bitwarden compatible server written in Rust
Documentation=https://github.com/dani-garcia/vaultwarden
After=network.target mariadb.service mysqld.service postgresql.service

[Service]
ExecStart=/usr/bin/vaultwarden
WorkingDirectory=/var/lib/vaultwarden
User=vaultwarden
Group=vaultwarden

# Allow vaultwarden to bind ports in the range of 0-1024
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE

NoNewPrivileges=yes

LimitNOFILE=1048576
UMask=0077
LimitNPROC=64

ProtectSystem=strict
ProtectHome=true
ReadWriteDirectories=/var/lib/vaultwarden
PrivateUsers=yes
PrivateTmp=true
PrivateDevices=true
ProtectHostname=yes
ProtectClock=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes
ProtectControlGroups=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
RemoveIPC=yes

SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources
SystemCallArchitectures=native

Environment="WEB_VAULT_FOLDER=/usr/share/vaultwarden-web-vault/htdocs"
EnvironmentFile=/etc/vaultwarden.env

[Install]
WantedBy=multi-user.target