[Unit]
Description=IRC bouncer with stealth connect and multi-network multiplexing
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
User=user
Group=user

ExecStart=%h/git/bouncer/.venv/bin/bouncer -c %h/git/bouncer/config/bouncer.toml
ExecReload=kill -HUP $MAINPID

Restart=on-failure
RestartSec=10

# Logging (stdout/stderr -> journal)
StandardOutput=journal
StandardError=journal
SyslogIdentifier=bouncer

# Hardening
NoNewPrivileges=yes
ProtectSystem=strict
ProtectHome=tmpfs
BindPaths=%h/git/bouncer
PrivateTmp=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectControlGroups=yes
RestrictNamespaces=yes
RestrictRealtime=yes
MemoryDenyWriteExecute=yes

[Install]
WantedBy=default.target