[Unit] Description=Fabula Ultima share-link service Documentation=https://git.illaoi.pro/drew/fabula-ultima-html After=network-online.target Wants=network-online.target [Service] ExecStart=/usr/local/bin/share-svc # Bind to loopback only; Caddy reverse-proxies public traffic to it. Environment=ADDR=127.0.0.1:8090 Environment=DB_PATH=/var/lib/share-svc/shares.db Restart=on-failure RestartSec=2 # Run as an ephemeral, unprivileged user. StateDirectory creates and chowns # /var/lib/share-svc so the SQLite file persists across restarts. DynamicUser=yes StateDirectory=share-svc # Hardening NoNewPrivileges=yes ProtectSystem=strict ProtectHome=yes PrivateTmp=yes PrivateDevices=yes ProtectKernelTunables=yes ProtectKernelModules=yes ProtectControlGroups=yes RestrictAddressFamilies=AF_INET AF_INET6 RestrictNamespaces=yes LockPersonality=yes MemoryDenyWriteExecute=yes [Install] WantedBy=multi-user.target