[Unit]
After=network-online.target
Description=mmr-retention

[Service]
DynamicUser=yes
Type=simple
ExecStart=/usr/bin/mmr-retention
TimeoutStartSec=1200000
TimeoutStopSec=10
Restart=on-failure
RestartSec=120s
OOMPolicy=stop
OOMScoreAdjust=100
EnvironmentFile=/etc/mmr-retention/envs

CapabilityBoundingSet=
AmbientCapabilities=

IPAddressDeny=multicast

DevicePolicy=closed

ProtectSystem=strict
ProtectHome=yes
PrivateTmp=yes
PrivateDevices=yes
ProtectHostname=yes
ProtectClock=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes
ProtectControlGroups=yes
RestrictAddressFamilies=AF_INET AF_INET6
RestrictNamespaces=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
RemoveIPC=yes
SystemCallArchitectures=native
ProtectProc=invisible
ProcSubset=pid
PrivateUsers=yes

SystemCallFilter=~@clock
SystemCallFilter=~@cpu-emulation
SystemCallFilter=~@debug
SystemCallFilter=~@module
SystemCallFilter=~@mount
SystemCallFilter=~@obsolete
SystemCallFilter=~@privileged
SystemCallFilter=~@raw-io
SystemCallFilter=~@reboot
SystemCallFilter=~@resources
SystemCallFilter=~@swap

UMask=077

[Install]
WantedBy=multi-user.target