[Unit]
Description=Amavisd daemon in chroot
#Wants=postfix-chroot.service
Wants=clamav-daemon-chroot.service
After=local-fs.target network.target
PartOf=chr-maild.target
ConditionPathExists=/chroot/maild/usr/sbin/amavisd

[Service]
#Type=forking

RootDirectory=/chroot/maild
RootDirectoryStartOnly=no

User=amavis
Group=amavis
#RuntimeDirectory=amavis

#ExecStart=/usr/sbin/amavisd-new
ExecStart=/usr/sbin/amavisd foreground
ExecReload=/usr/sbin/amavisd reload
ExecStartPre=-/usr/bin/find /var/lib/amavis -maxdepth 1 -name 'amavis-*' -type d -exec rm -rf "{}" \;
ExecStartPre=-/usr/bin/find /var/lib/amavis/tmp -maxdepth 1 -name 'amavis-*' -type d -exec rm -rf "{}" \;
Restart=on-failure

#PIDFile=/chroot/maild/run/amavis/amavisd.pid

PrivateTmp=true
MountAPIVFS=true
NoNewPrivileges=true
PrivateDevices=true
DevicePolicy=closed
ProtectSystem=full
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectProc=invisible
ProcSubset=pid
ProtectControlGroups=true
ProtectClock=true
ProtectHome=true
#RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
#CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_DAC_READ_SEARCH
#RestrictNamespaces=uts ipc pid user cgroup
#RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
#MemoryDenyWriteExecute=yes # (amavis needs this)
#LockPersonality=yes
ReadOnlyPaths=/bin /sbin /lib /lib64 /usr /boot /etc
ReadOnlyPaths=/chroot/maild
ReadWritePaths=/chroot/maild/run
ReadWritePaths=/chroot/maild/var/lib/amavis /chroot/maild/var/log/amavis /chroot/maild/var/cache/razor
InaccessiblePaths=/chroot/maild/boot /chroot/maild/sys /chroot/maild/proc

# run
BindPaths=/chroot/maild/run:/run:norbind
# log, systemd notify
BindPaths=/run/systemd/notify:/run/systemd/notify:norbind /run/systemd/journal/dev-log:/run/systemd/journal/dev-log:norbind
# clamd socket
BindPaths=-/chroot/maild/run/clamav:/run/clamav:norbind

[Install]
#WantedBy=multi-user.target
WantedBy=chr-maild.target