[Unit]
Description=CSSGOWTF backend service
After=network.target

[Service]
DynamicUser=yes
ExecStart=/opt/csgowtfd/csgowtfd
WorkingDirectory=/var/lib/csgowtfd
RuntimeDirectory=csgowtfd
StateDirectory=csgowtfd
ConfigurationDirectory=csgowtfd

# more hardening
NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
DevicePolicy=closed
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
MemoryDenyWriteExecute=yes
LockPersonality=yes

[Install]
WantedBy=multi-user.target