[Unit]
Description=Nightscout CGM.

[Service]
WorkingDirectory=/usr/lib/node_modules/nightscout
ExecStart=/usr/bin/node server.js
DynamicUser=yes

EnvironmentFile=/etc/nightscout/nightscout-environ

ReadOnlyPaths=/usr/lib/node_modules/nightscout

Restart=on-failure

PrivateTmp=yes
PrivateDevices=true
PrivateUsers=true

DevicePolicy=closed

ProtectSystem=strict
ProtectHome=tmpfs
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectClock=true
ProtectKernelLogs=yes
ProtectHostname=yes

RestrictAddressFamilies=AF_INET AF_INET6
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes

NoNewPrivileges=yes
LockPersonality=yes

#MemoryDenyWriteExecute=yes

CapabilityBoundingSet=
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallErrorNumber=EPERM

[Install]
WantedBy=multi-user.target