[Unit]
Description=XMPP Messsage Forwarding Bot
Wants=network-online.target
After=network-online.target

[Install]
WantedBy=default.target

[Service]
## If you installed ForwardXMPP in a virtualenv, you will probably want to
## override this line so the executable is the python inside your virtualenv.
## If you did not install ForwardXMPP system-wide, you can set
## Environment=PYTHONPATH=<directory of your source checkout>
## and this ExecStart should work.
ExecStart=/usr/bin/python3 -m forwardxmpp --config-file /etc/forwardxmpp/config.ini

## Generally the only privileged operation ForwardXMPP needs to do is read
## its configuration file (which has a password in it). If DynamicUser can't
## read it, you can turn that off and set a low-privileged static User.
DynamicUser=true

DevicePolicy=closed
MemoryDenyWriteExecute=true
PrivateDevices=true
PrivateNetwork=false
PrivateTmp=true
PrivateUsers=true
ProtectControlGroups=true
ProtectHome=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=strict
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
RestrictNamespaces=true
RestrictRealtime=true

CapabilityBoundingSet=
NoNewPrivileges=true

## This is just a list of very privileged syscall groups.
## This list could be tightened further if desired.
SystemCallFilter=~@clock @cpu-emulation @debug @module @mount @obsolete