[Unit]
Description=collabore tunnel  Make your local services accessible to all on the public Internet
After=network.target nginx.service

[Service]
Type=exec

# environment variables
Environment=HOME=/opt/collabore-tunnel/
Environment=UNIX_SOCKETS_DIRECTORY=/opt/collabore-tunnel/sockets
Environment=SERVER_HOSTNAME=tnl.clb.re
Environment=CONFIG_DIRECTORY=.
Environment=WELCOME_BANNER_FILE=./welcome_banner.txt
Environment=RATE_LIMIT_COUNT=5
Environment=RATE_LIMIT_INTERVAL=60
Environment=MAX_CONNECTIONS_PER_IP=5
Environment=SSH_SERVER_HOST=0.0.0.0
Environment=SSH_SERVER_PORT=22
Environment=LOG_DEPTH=2

# working directory and exec
WorkingDirectory=/opt/collabore-tunnel
ExecStart=/opt/collabore-tunnel/.env/bin/python3 main.py
ExecStop=/usr/bin/kill -9 $MAINPID
Restart=on-failure
RestartSec=10s
User=collabore-tunnel
Group=collabore-tunnel

# filesystem
TemporaryFileSystem=/:ro
BindReadOnlyPaths=/lib/ /lib64/ /usr/lib/ /usr/lib64/ /opt/collabore-tunnel/
BindReadOnlyPaths=/usr/bin/python3 /usr/bin/kill
BindPaths=/opt/collabore-tunnel/sockets/
BindPaths=/opt/collabore-tunnel/id_rsa_host
PrivateTmp=true
PrivateDevices=true
ProtectControlGroups=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectKernelLogs=true
ReadWritePaths=

# network
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6

# misc
SystemCallArchitectures=native
SystemCallFilter=
NoNewPrivileges=true
RestrictRealtime=true
MemoryDenyWriteExecute=true
ProtectKernelLogs=true
LockPersonality=true
ProtectHostname=true
RemoveIPC=true
RestrictSUIDSGID=true
ProtectClock=true
ProtectProc=invisible

# capabilities
RestrictNamespaces=yes
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target