[Unit]
Description=SFTPgo service (chroot)
After=network.target local-fs.target remote-fs.target nss-lookup.target mysql-admin.service
PartOf=chr-sftpd.target

[Service]
Type=simple
RootDirectory=/chroot/sftpd
RootDirectoryStartOnly=no

#User=sftpgo
#Group=sftpgo

#UMask=002

WorkingDirectory=/etc/sftpgo
RuntimeDirectory=sftpgo
Environment=SFTPGO_CONFIG_DIR=/etc/sftpgo/
Environment=SFTPGO_LOG_FILE_PATH=
EnvironmentFile=-/etc/sftpgo/sftpgo.env
ExecStart=/usr/bin/sftpgo serve
ExecReload=/bin/kill -s HUP $MAINPID
KillMode=mixed
StandardOutput=journal
StandardError=journal

Restart=always
RestartSec=10s

#LimitMEMLOCK=infinity
#LimitNOFILE=65535
LimitNOFILE=8192

RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
AmbientCapabilities=CAP_CHOWN CAP_NET_BIND_SERVICE CAP_DAC_OVERRIDE
CapabilityBoundingSet=CAP_CHOWN CAP_NET_BIND_SERVICE CAP_DAC_OVERRIDE

PrivateTmp=true
MountAPIVFS=true
NoNewPrivileges=true
PrivateDevices=true
DevicePolicy=closed
ProtectSystem=full
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectProc=invisible
ProcSubset=pid
ProtectControlGroups=true
ProtectClock=true
#ProtectHome=true
#RestrictNamespaces=uts ipc pid user cgroup
#RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
MemoryDenyWriteExecute=yes
LockPersonality=yes
ReadOnlyPaths=/bin /sbin /lib /lib64 /usr /boot /etc
ReadOnlyPaths=/chroot/sftpd
#ReadWritePaths=/chroot/sftpd/var/log/sftpgo
ReadWritePaths=/chroot/sftpd/run
InaccessiblePaths=/chroot/sftpd/boot /chroot/sftpd/sys /chroot/sftpd/proc

# run
BindPaths=/chroot/sftpd/run:/run:norbind
# log, systemd notify
BindPaths=/run/systemd/notify:/run/systemd/notify:norbind /run/systemd/journal/dev-log:/run/systemd/journal/dev-log:norbind
# admin mysql
#BindPaths=-/run/mysqld-admin:/run/mysqld:norbind
# ssl
BindPaths=/etc/ssl/sys:/etc/ssl/sys:norbind
# web
BindPaths=/srv/web:/web:norbind


[Install]
#WantedBy=multi-user.target
WantedBy=chr-sftpd.target