[Unit]
Description=Z-Wave JS Server
Documentation=https://www.npmjs.com/package/@zwave-js/server
After=network-online.target
Wants=network-online.target

[Service]
ExecStartPre=/bin/mkdir -p \
    /var/log/zwave-js-server \
    /var/cache/zwave-js-server \
    /var/lib/zwave-js-server
ExecStart=/usr/bin/node /usr/bin/zwave-server \
    --host=localhost \
    --port=3000 \
    --config=/etc/zwave-js-server.config.js \
    %I
Restart=on-failure
Group=root
User=root

CapabilityBoundingSet=~CAP_BLOCK_SUSPEND
CapabilityBoundingSet=~CAP_CHOWN
CapabilityBoundingSet=~CAP_FOWNER
CapabilityBoundingSet=~CAP_FSETID
CapabilityBoundingSet=~CAP_IPC_LOCK
CapabilityBoundingSet=~CAP_KILL
CapabilityBoundingSet=~CAP_LEASE
CapabilityBoundingSet=~CAP_LINUX_IMMUTABLE
CapabilityBoundingSet=~CAP_MKNOD
CapabilityBoundingSet=~CAP_NET_ADMIN
CapabilityBoundingSet=~CAP_SETFCAP
CapabilityBoundingSet=~CAP_SETGID
CapabilityBoundingSet=~CAP_SETPCAP
CapabilityBoundingSet=~CAP_SETUID
CapabilityBoundingSet=~CAP_SYS_ADMIN
CapabilityBoundingSet=~CAP_SYS_BOOT
CapabilityBoundingSet=~CAP_SYS_CHROOT
CapabilityBoundingSet=~CAP_SYS_PACCT
CapabilityBoundingSet=~CAP_SYS_PTRACE
CapabilityBoundingSet=~CAP_SYS_RAWIO
CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
DeviceAllow=char-ttyACM
DevicePolicy=closed
LockPersonality=yes
PrivateTmp=yes
ProcSubset=pid
ProtectClock=yes
ProtectControlGroups=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectProc=noaccess
RemoveIPC=yes
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK
RestrictNetworkInterfaces=lo
RestrictRealtime=yes
RestrictSUIDSGID=yes
SocketBindDeny=any
SystemCallArchitectures=native
SystemCallFilter=~@clock
SystemCallFilter=~@cpu-emulation
SystemCallFilter=~@debug
SystemCallFilter=~@module
SystemCallFilter=~@obsolete
SystemCallFilter=~@privileged
SystemCallFilter=~@raw-io
SystemCallFilter=~@reboot
SystemCallFilter=~@swap

[Install]
WantedBy=multi-user.target