[Unit]
Description=Nginx SSO authentication daemon (%I)

[Service]
Restart=on-failure
ExecStart=/usr/bin/nginx-sso --config /etc/nginx/auth/sso/%i.yml --frontend-dir /usr/share/nginx-sso/frontend
ExecReload=/bin/kill -HUP $MAINPID

# systemd hardening-options
AmbientCapabilities=
CapabilityBoundingSet=
DeviceAllow=/dev/null rw
DevicePolicy=strict
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
PrivateUsers=true
ProtectControlGroups=true
ProtectHome=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=full
RemoveIPC=true
RestrictNamespaces=true
RestrictRealtime=true
SystemCallArchitectures=native

[Install]
WantedBy=multi-user.target