[Unit]
Description=IcingaDB Redis persistent key-value database
After=network.target
After=network-online.target
Wants=network-online.target

[Service]
ExecStart=/usr/bin/icingadb-redis-server /etc/icingadb-redis/icingadb-redis.conf --daemonize no --supervised systemd
ExecStop=/usr/libexec/icingadb-redis-shutdown
Type=notify
User=icingadb-redis
Group=icingadb-redis
RuntimeDirectory=icingadb-redis
RuntimeDirectoryMode=0755
UMask=007
CapabilityBoundingSet=
LimitNOFILE=65535
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateUsers=true
ProcSubset=pid
ProtectClock=true
ProtectControlGroups=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectProc=invisible
RemoveIPC=true
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~ @privileged @resources
PrivateDevices=true
PrivateTmp=true
ProtectHome=true
ProtectSystem=strict
NoExecPaths=/
ExecPaths=/usr/bin/icingadb-redis-server /usr/lib /lib
ExecPaths=-/usr/lib64
ExecPaths=-/lib64
ReadOnlyPaths=/
ReadWritePaths=-/var/lib/icingadb-redis
ReadWritePaths=-/var/log/icingadb-redis
ReadWritePaths=-/var/run/icingadb-redis


[Install]
WantedBy=multi-user.target