[Unit]
Description=Sachet SMS Daemon for Prometheus Alertmanager

[Service]
Restart=always
User=sachet
ExecStart=/usr/bin/sachet -config /etc/sachet.yml -listen-address {{ sachet_listen }}

# systemd hardening-options
AmbientCapabilities=
CapabilityBoundingSet=
DeviceAllow=/dev/null rw
DevicePolicy=strict
LimitMEMLOCK=0
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
PrivateUsers=true
ProtectControlGroups=true
ProtectHome=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=full
{% if 'smstools' in sachet_providers %}
ReadWritePaths={{ sachet_providers.smstools.outgoing_dir }}
{% endif %}
RemoveIPC=true
RestrictNamespaces=true
RestrictRealtime=true
SystemCallArchitectures=native

[Install]
WantedBy=multi-user.target