[Unit]
Description=BookStack {{ bookstack_id }} Queue Worker

[Service]
User={{ bookstack_php_user }}
Group={{ bookstack_php_user }}
Restart=always
ExecStart=/bin/php{{ bookstack_php_version }} {{ bookstack_root_dir }}/app/artisan queue:work --sleep=3 --tries=1 --max-time=3600
NoNewPrivileges=true
PrivateDevices=true
ProtectControlGroups=true
ProtectHome=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=strict
RestrictRealtime=true
RestrictNamespaces=yes
ReadWritePaths={{ bookstack_root_dir }}
PrivateTmp=true
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@privileged
SystemCallFilter=~@resources
SystemCallErrorNumber=EPERM
LockPersonality=yes
MemoryDenyWriteExecute=yes

[Install]
WantedBy=multi-user.target