{{define "main" -}}
[Unit]
Description={{.Coin.Name}} backend daemon
After=network.target

[Service]
ExecStart={{template "Backend.ExecCommandTemplate" .}}
User={{.Backend.SystemUser}}
Restart=on-failure
TimeoutStopSec=300
WorkingDirectory={{.Env.BackendInstallPath}}/{{.Coin.Alias}}
{{if eq .Backend.ServiceType "forking" -}}
Type=forking
RuntimeDirectory={{.Coin.Alias}}
PIDFile=/run/{{.Coin.Alias}}/{{.Coin.Alias}}.pid
{{else -}}
Type=simple
{{end}}
{{template "Backend.ServiceAdditionalParamsTemplate" .}}

# Resource limits
LimitNOFILE=500000

# Hardening measures
####################

# Provide a private /tmp and /var/tmp.
PrivateTmp=true

# Mount /usr, /boot/ and /etc read-only for the process.
ProtectSystem=full

# Disallow the process and all of its children to gain
# new privileges through execve().
NoNewPrivileges=true

# Use a new /dev namespace only populated with API pseudo devices
# such as /dev/null, /dev/zero and /dev/random.
PrivateDevices=true

{{if .Backend.ProtectMemory -}}
# Deny the creation of writable and executable memory mappings.
MemoryDenyWriteExecute=true
{{end}}

[Install]
WantedBy=multi-user.target
{{end}}