[Unit]
Description=Deluge Bittorrent Client Daemon
Documentation=man:deluged
After=network-online.target

[Service]
User={{ deluge_user }}
Group={{ deluge_group }}
Type=simple
UMask=007
ExecStart={{ deluge_git_dir }}/.venv/bin/deluged -d -L warning
Restart=on-failure
RestartSec=3
TimeoutStopSec=300
WorkingDirectory=~

# Security Hardening
PrivateTmp=true
CapabilityBoundingSet=CAP_SYS_RESOURCE
{% if systemd_version | int >= 187 %}
NoNewPrivileges=true
SystemCallFilter=@system-service
{% endif %}
{%+ if systemd_version | int >= 209 %}SystemCallArchitectures=native{%- endif +%}
{% if systemd_version | int >= 214 %}
ProtectHome=true
ProtectSystem=true
{% endif %}
{% if systemd_version | int >= 231 %}
ReadOnlyPaths=/
ReadWritePaths={{ deluge_git_dir }} {{ deluge_install_dir }}
RestrictRealtime=true
{% endif %}
{% if systemd_version | int >= 232 %}
ProtectControlGroups=true
ProtectKernelModules=true
ProtectKernelTunables=true
RemoveIPC=true
{% endif %}
{% if systemd_version | int >= 233 %}
MountAPIVFS=true
RestrictNamespaces=ipc net mnt pid
{% endif %}
{%+ if systemd_version | int >= 235 %}LockPersonality=true{%- endif +%}
{% if systemd_version | int >= 242 %}
ProtectHostname=true
RestrictSUIDSGID=true
{% endif %}
{%+ if systemd_version | int >= 244 %}ProtectKernelLogs=true{%- endif +%}
{%+ if systemd_version | int >= 245 %}ProtectClock=true{%- endif +%}
{%+ if systemd_version | int >= 247 %}ProtectProc=invisible{%- endif +%}

[Install]
WantedBy=multi-user.target