[Unit]
Description=Advanced key-value store
After=network.target
Documentation=http://redis.io/documentation, man:redis-server(1)

[Service]
Type=notify
ExecStart=/usr/bin/redis-server /etc/redis/redis.conf --supervised systemd --daemonize no
PIDFile=/run/redis/redis-server.pid
TimeoutStopSec=0
Restart=always
User=redis
Group=redis
RuntimeDirectory=redis
RuntimeDirectoryMode=2755

RootDirectory=/chroot/redisd
RootDirectoryStartOnly=no

UMask=007
PrivateTmp=true
LimitNOFILE=65535
PrivateDevices=true
ProtectHome=true
ProtectSystem=strict
ReadWritePaths=-/chroot/redisd/var/lib/redis
ReadWritePaths=-/chroot/redisd/var/log/redis
ReadWritePaths=-/chroot/redisd/run/redis
ReadWritePaths=-/run/redis

CapabilityBoundingSet=
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateUsers=true
ProtectClock=true
ProtectControlGroups=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectProc=invisible
RemoveIPC=true
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~ @privileged @resources

# redis-server can write to its own config file when in cluster mode so we
# permit writing there by default. If you are not using this feature, it is
# recommended that you remove this line.
ReadWriteDirectories=-/chroot/redisd/etc/redis

# This restricts this service from executing binaries other than redis-server
# itself. This is really effective at e.g. making it impossible to an
# attacker to spawn a shell on the system, but might be more restrictive
# than desired. If you need to, you can permit the execution of extra
# binaries by adding an extra ExecPaths= directive with the command
# systemctl edit redis-server.service
NoExecPaths=/
ExecPaths=/chroot/redisd/usr/bin/redis-server /chroot/redisd/usr/lib /chroot/redisd/lib

####################
PrivateTmp=true
MountAPIVFS=true
#-NoNewPrivileges=true
PrivateDevices=true
DevicePolicy=closed
#-ProtectSystem=full
#-ProtectKernelTunables=true
#-ProtectKernelModules=true
#-ProtectKernelLogs=true
#-ProtectProc=invisible
ProcSubset=pid
#-ProtectControlGroups=true
#-ProtectClock=true
ProtectHome=true
#RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
#CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_DAC_READ_SEARCH
#RestrictNamespaces=uts ipc pid user cgroup
#RestrictNamespaces=yes
#-RestrictRealtime=yes
#-RestrictSUIDSGID=yes
MemoryDenyWriteExecute=yes
#LockPersonality=yes
ReadOnlyPaths=/bin /sbin /lib /lib64 /usr /boot /etc
ReadOnlyPaths=/chroot/redisd
ReadWritePaths=/chroot/redisd/run
#-ReadWritePaths=/chroot/redisd/var/lib/redis /chroot/redisd/var/log/redis
InaccessiblePaths=/chroot/redisd/boot /chroot/redisd/sys

# run
BindPaths=/chroot/redisd/run:/run:norbind
# log, systemd notify
BindPaths=/run/systemd/notify:/run/systemd/notify:norbind /run/systemd/journal/dev-log:/run/systemd/journal/dev-log:norbind


[Install]
WantedBy=chr-redisd.target
Alias=redis.service