[Unit]
Description=copyparty file server

[Service]
Type=notify
SyslogIdentifier=copyparty
Environment=PYTHONUNBUFFERED=x
ExecReload=/bin/kill -s USR1 $MAINPID
PermissionsStartOnly=true

## user to run as + where the TLS certificate is (if any)
##
User=copyparty
Group=copyparty
WorkingDirectory=/var/lib/copyparty
Environment=XDG_CONFIG_HOME=/var/lib/copyparty/.config

## OPTIONAL: allow copyparty to listen on low ports (like 80/443);
##   you need to uncomment the "p: 80,443,3923" in the config too
##   ------------------------------------------------------------
##   a slightly safer alternative is to enable partyalone.service
##   which does portforwarding with nftables instead, but an even
##   better option is to use a reverse-proxy (nginx/caddy/...)
##
AmbientCapabilities=CAP_NET_BIND_SERVICE

## some quick hardening; TODO port more from the nixos package
##
MemoryMax=50%
MemorySwapMax=50%
ProtectClock=true
ProtectControlGroups=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectProc=invisible
RemoveIPC=true
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true

## create a directory for logfiles;
##   this defines $LOGS_DIRECTORY which is used in copyparty.conf
##
LogsDirectory=copyparty

## finally, start copyparty and give it the config file:
##
ExecStart=/usr/bin/python3 /usr/local/bin/copyparty-sfx.py -c /etc/copyparty.conf

# NOTE: if you installed copyparty from an OS package repo (nice)
#   then you probably want something like this instead:
# ExecStart=/usr/bin/copyparty -c /etc/copyparty.conf

[Install]
WantedBy=multi-user.target