[Unit]
Description=qrbill

[Service]
ExecStart=/usr/local/bin/qrbill-api

# See also http://0pointer.net/blog/dynamic-users-with-systemd.html
DynamicUser=yes

# Remove all capabilities(7), this is a stateless web server:
CapabilityBoundingSet=

# Ensure the service can never gain new privileges:
NoNewPrivileges=yes

# Prohibit access to any kind of namespacing:
RestrictNamespaces=yes

# Make home directories inaccessible:
ProtectHome=true

# Make device nodes except for /dev/null, /dev/zero, /dev/full,
# /dev/random and /dev/urandom inaccessible:
PrivateDevices=yes

# Make users other than root and the user for this daemon inaccessible:
PrivateUsers=yes

# Make cgroup file system hierarchy inaccessible:
ProtectControlGroups=yes

# Deny kernel module loading:
ProtectKernelModules=yes

# Make kernel variables (e.g. /proc/sys) read-only:
ProtectKernelTunables=yes

# Filter dangerous system calls. The following is listed as safe basic choice
# in systemd.exec(5):
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallErrorNumber=EPERM

[Install]
WantedBy=multi-user.target