# You should not need to edit this file. Instead, use a drop-in file by running:
#   systemctl edit kanidmd.service

[Unit]
Description=Kanidm Identity Server
After=time-sync.target network-online.target
Wants=time-sync.target network-online.target
Before=radiusd.service

[Service]
Type=notify
DynamicUser=yes
User=kanidmd_dyn
Group=kanidmd
StateDirectory=kanidmd
StateDirectoryMode=0750
CacheDirectory=kanidmd
CacheDirectoryMode=0750
RuntimeDirectory=kanidmd
RuntimeDirectoryMode=0755
ExecStart=/usr/bin/kanidmd server

AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE

NoNewPrivileges=true
PrivateTmp=true
PrivateDevices=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
MemoryDenyWriteExecute=true

[Install]
WantedBy=multi-user.target