[Unit]
Description=FORT RPKI validator
Documentation=man:fort(8)
Documentation=https://nicmx.github.io/FORT-validator/

[Service]
ExecStart=/usr/bin/fort --configuration-file /etc/fort/config.json --daemon
Type=simple
User=fort
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
ProtectSystem=strict
ProtectHome=yes
PrivateDevices=yes
PrivateTmp=yes
ProtectKernelTunables=yes
ProtectControlGroups=yes
ProtectKernelModules=yes
CacheDirectory=fort
ReadWritePaths=/var/lib/fort/
ConfigurationDirectory=fort
ConfigurationDirectory=tals
StateDirectory=fort
NoNewPrivileges=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=yes
RestrictRealtime=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
SystemCallArchitectures=native
SystemCallErrorNumber=EPERM
SystemCallFilter=@system-service

[Install]
WantedBy=multi-user.target