[Unit] Description={{ synapse_systemd_unit_description }} {% if synapse_systemd_unit_after | default([]) | length > 0 %} After={{ synapse_systemd_unit_after | join(' ') }} {% endif %} {% if synapse_systemd_unit_wants | default([]) | length > 0 %} Wants={{ synapse_systemd_unit_wants | join(' ') }} {% endif %} [Service] Type={{ synapse_systemd_service_type }} WorkingDirectory={{ synapse_venv_path }} ExecStart={{ synapse_systemd_service_exec_start }} ExecStop={{ synapse_systemd_service_exec_stop }} ExecReload={{ synapse_systemd_service_exec_reload }} User={{ synapse_run_user }} Group={{ synapse_run_group }} Restart={{ synapse_systemd_service_restart }} ProtectSystem={{ synapse_systemd_service_protect_system }} ProtectHome={{ synapse_systemd_service_protect_home }} ProtectClock={{ synapse_systemd_service_protect_clock }} ProtectHostname={{ synapse_systemd_service_protect_hostname }} ProtectKernelLogs={{ synapse_systemd_service_protect_protect_kernel_logs }} ProtectKernelModules={{ synapse_systemd_service_protect_protect_kernel_modules }} ProtectKernelTunables={{ synapse_systemd_service_protect_protect_control_groups }} ProtectControlGroups={{ synapse_systemd_service_protect_protect_control_groups }} RestrictNamespaces={{ synapse_systemd_service_restrict_namespaces }} RestrictSUIDSGID={{ synapse_systemd_service_restrict_suid_sgid }} {% for path in synapse_systemd_service_read_write_paths | default([]) %} ReadWritePaths={{ path }} {% endfor %} RestrictAddressFamilies={{ synapse_systemd_service_restrict_address_families | join(' ') }} RemoveIPC={{ synapse_systemd_service_remove_ipc }} LockPersonality={{ synapse_systemd_service_lock_personality }} NoNewPrivileges={{ synapse_systemd_service_no_new_privileges }} [Install] WantedBy={{ synapse_systemd_install_wanted_by }}