ansible-infra/ansible_collections/nullified/infrastructure/roles/deluge/templates/systemd/deluge-web.service.j2

[Unit]
Description=Deluge Bittorrent Client Web Interface
Documentation=man:deluge-web
After=deluged.service
Wants=deluged.service

[Service]
User={{ deluge_user }}
Group={{ deluge_group }}
Type=simple
UMask=027
ExecStart={{ deluge_git_dir }}/.venv/bin/deluge-web -d
Restart=on-failure
RestartSec=3

# Security Hardening
PrivateTmp=true
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
{% if systemd_version | int >= 187 %}
NoNewPrivileges=true
SystemCallFilter=@system-service
{% endif %}
{%+ if systemd_version | int >= 209 %}SystemCallArchitectures=native{%- endif +%}
{% if systemd_version | int >= 214 %}
ProtectHome=true
ProtectSystem=true
{% endif %}
{% if systemd_version | int >= 231 %}
ReadOnlyPaths=/
ReadWritePaths={{ deluge_git_dir }} {{ deluge_install_dir }}
RestrictRealtime=true
{% endif %}
{% if systemd_version | int >= 232 %}
ProtectControlGroups=true
ProtectKernelModules=true
ProtectKernelTunables=true
RemoveIPC=true
{% endif %}
{% if systemd_version | int >= 233 %}
MountAPIVFS=true
RestrictNamespaces=ipc net mnt pid
{% endif %}
{%+ if systemd_version | int >= 235 %}LockPersonality=true{%- endif +%}
{% if systemd_version | int >= 242 %}
ProtectHostname=true
RestrictSUIDSGID=true
{% endif %}
{%+ if systemd_version | int >= 244 %}ProtectKernelLogs=true{%- endif +%}
{%+ if systemd_version | int >= 245 %}ProtectClock=true{%- endif +%}
{%+ if systemd_version | int >= 247 %}ProtectProc=invisible{%- endif +%}

[Install]
WantedBy=multi-user.target