[Unit]
Description=Synapse Worker %i
AssertPathExists=/etc/synapse/workers/%i.yaml

# This service should be restarted when the synapse target is restarted.
#PartOf=synapse.target
#ReloadPropagatedFrom=synapse.target

# if this is started at the same time as the main, let the main process start
# first, to initialise the database schema.
After=synapse.service

[Service]
Type=notify
NotifyAccess=main
User=synapse
WorkingDirectory=/var/lib/synapse
ExecStart=/usr/bin/synapse_worker --config-path=/etc/synapse/homeserver.yaml --config-path=/etc/synapse/workers/%i.yaml
ExecReload=/bin/kill -HUP $MAINPID
Restart=on-failure
RestartSec=3
SyslogIdentifier=synapse-%i

Environment="LD_PRELOAD=/usr/lib64/libjemalloc.so.2"
CPUAccounting=on
MemoryAccounting=on

MemoryHigh=500M
MemoryMax=1G
MemorySwapMax=1G

CPUWeight=75

PrivateTmp=yes
PrivateDevices=true
PrivateUsers=true

CapabilityBoundingSet=
AmbientCapabilities=

DevicePolicy=closed

ProtectSystem=strict
ProtectHome=yes
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectClock=true
ProtectKernelLogs=yes
ProtectHostname=true

ProtectProc=invisible
ProcSubset=pid

RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes

NoNewPrivileges=yes
LockPersonality=yes

SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources @obsolete

RemoveIPC=true

[Install]
WantedBy=multi-user.target