[Unit]
Description=Penpot server
After=syslog.target network.target

[Service]
Type=simple
User={{ penpot_user }}
WorkingDirectory={{ penpot_root_dir }}/backend
EnvironmentFile={{ penpot_root_dir }}/etc/env
ExecStart={{ penpot_root_dir }}/backend/run.sh
SuccessExitStatus=143
PrivateTmp=yes
NoNewPrivileges=true
Restart=on-failure
MemoryLimit=2048M
SyslogIdentifier=penpot-server
Restart=on-failure
StartLimitInterval=0
RestartSec=30
PrivateDevices=true
ProtectControlGroups=true
ProtectHome=true
ProtectSystem=full
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=strict
RestrictRealtime=true
RestrictNamespaces=true
ReadWritePaths=/run {{ penpot_root_dir }}/data
LockPersonality=true

[Install]
WantedBy=multi-user.target