[Unit]
Description=Miniflux Feed Reader
After=network.target postgresql.service

[Service]
Type=notify
EnvironmentFile={{ miniflux_root_dir }}/etc/miniflux.conf
User={{ miniflux_user }}
ExecStart={{ miniflux_root_dir }}/bin/miniflux
RuntimeDirectory=miniflux
Restart=always
RestartSec=5
Restart=always
NoNewPrivileges=true
PrivateDevices=true
ProtectControlGroups=true
ProtectHome=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=strict
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectClock=yes
RestrictRealtime=true
RestrictNamespaces=yes
ReadWritePaths=/run
PrivateTmp=true
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@privileged
SystemCallFilter=~@resources
SystemCallErrorNumber=EPERM
LockPersonality=yes
MemoryDenyWriteExecute=yes

[Install]
WantedBy=multi-user.target