{% set whawty_auth_store = whawty_auth_store_instances[whawty_auth_app.config.store] %}
[Unit]
Description=whawty.auth authentication agent for {{ whawty_auth_app.name }}

[Service]
Type=simple
ExecStart=/usr/bin/whawty-auth --store "/etc/whawty/auth/store-{{ whawty_auth_app.config.store }}.yml" runsa
ExecReload=/bin/kill -HUP $MAINPID
Restart=always
RestartSec=3

AmbientCapabilities=
CapabilityBoundingSet=
DeviceAllow=/dev/null rw
DevicePolicy=strict
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProtectControlGroups=true
ProtectHome=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=strict
{% if 'sync' not in whawty_auth_store or whawty_auth_store.sync.type != 'client' %}
ReadWritePaths={{ whawty_auth_store.config.basedir }}
{% endif %}
RemoveIPC=true
RestrictNamespaces=true
RestrictRealtime=true
SystemCallArchitectures=native