[Unit]
Description=thelounge - Modern, responsive, cross-platform, self-hosted web IRC client
Documentation=https://thelounge.chat/docs

After=network-online.target
Wants=network-online.target

[Service]
Environment=THELOUNGE_HOME=/var/lib/%N
ExecStart=/usr/bin/%N start
WorkingDirectory=/var/lib/%N

User=%N
Group=%N
UMask=0027

# Sandboxing and hardening systemd.exec(5)
PrivateUsers=yes
ProtectClock=yes
ProtectHostname=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes
ProtectControlGroups=yes
RestrictNamespaces=yes
LockPersonality=yes
RestrictSUIDSGID=yes
RemoveIPC=yes
RestrictRealtime=yes
PrivateTmp=true
PrivateDevices=true
ProtectHome=true
NoNewPrivileges=true

# set entire file system to read only except following ReadWritePaths
ProtectSystem=strict
ReadWritePaths=/var/lib/%N

[Install]
WantedBy=multi-user.target