[Unit]
Description=Whitelister Eternal

[Service]
User=whitelister
Group=whitelister
Restart=always
RestartSec=5
Type=simple
WorkingDirectory=/srv/whitelister
Environment=NODE_ENV=production
ExecStart=/usr/bin/node /srv/whitelister/dist/index.js
MemoryMax=4G

# Hardening
PrivateTmp=yes
NoNewPrivileges=true
RestrictNamespaces=uts ipc pid user cgroup
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectControlGroups=yes
PrivateDevices=yes
RestrictSUIDSGID=true

[Install]
WantedBy=multi-user.target