[Unit]
Description=SearxNG service
#Documentation=
After=network-online.target
Wants=searxng.socket

[Service]
User={{ searxng_user }}
Group={{ searxng_group }}
Type=notify
NotifyAccess=all
UMask=007
ExecStart={{ searxng_install_dir }}/.venv/bin/uwsgi \
    --ini "{{ searxng_uwsgi_config_filepath }}" \
    --socket "{{ searxng_uwsgi_socket_dir }}/searxng.socket"
Restart=on-failure
RestartSec=3
TimeoutStopSec=300
WorkingDirectory=~
KillSignal=SIGQUIT
StandardError=journal

# Security Hardening
PrivateTmp=true
CapabilityBoundingSet=CAP_SYS_RESOURCE
{% if systemd_version | int >= 187 %}
NoNewPrivileges=true
SystemCallFilter=@system-service
{% endif %}
{%+ if systemd_version | int >= 209 %}SystemCallArchitectures=native{%- endif +%}
{% if systemd_version | int >= 214 %}
ProtectHome=true
ProtectSystem=true
{% endif %}
{% if systemd_version | int >= 231 %}
ReadOnlyPaths=/
ReadWritePaths={{ searxng_install_dir }} {{ searxng_uwsgi_socket_dir }} {{ searxng_uwsgi_config_filepath }} {{ searxng_git_dir }}
RestrictRealtime=true
{% endif %}
{% if systemd_version | int >= 232 %}
ProtectControlGroups=true
ProtectKernelModules=true
ProtectKernelTunables=true
RemoveIPC=true
{% endif %}
{% if systemd_version | int >= 233 %}
MountAPIVFS=true
RestrictNamespaces=ipc net mnt pid
{% endif %}
{%+ if systemd_version | int >= 235 %}LockPersonality=true{%- endif +%}
{% if systemd_version | int >= 242 %}
ProtectHostname=true
RestrictSUIDSGID=true
{% endif %}
{%+ if systemd_version | int >= 244 %}ProtectKernelLogs=true{%- endif +%}
{%+ if systemd_version | int >= 245 %}ProtectClock=true{%- endif +%}
{%+ if systemd_version | int >= 247 %}ProtectProc=invisible{%- endif +%}

[Install]
WantedBy=multi-user.target