From 707b45e4ade3065a20a8897f9b862407e6a28549 Mon Sep 17 00:00:00 2001
From: "Alexander \"Arav\" Andreev" <me@arav.su>
Date: Sun, 1 Oct 2023 05:58:49 +0400
Subject: [PATCH] Added a systemd unit for radiodj.

---
 init/radiodj.service | 55 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 55 insertions(+)
 create mode 100755 init/radiodj.service

diff --git a/init/radiodj.service b/init/radiodj.service
new file mode 100755
index 0000000..6610789
--- /dev/null
+++ b/init/radiodj.service
@@ -0,0 +1,55 @@
+[Unit]
+Description=Arav's dwelling / Radio DJ
+Requires=icecast.service
+After=network-online.target icecast.service
+
+[Service]
+Type=simple
+Restart=on-failure
+DynamicUser=yes
+ExecStart=/usr/bin/dwelling-radiodj -listen /var/run/dwelling-radio/djsock \
+    -playlist /mnt/data/appdata/radio/playlists/all-rand \
+    -list-length 10 -mls-file /mnt/data/appdata/radio/mostlistenedsong
+
+ReadOnlyPaths=/
+
+LogsDirectory=dwelling-radio
+RuntimeDirectory=dwelling-radio
+
+AmbientCapabilities=
+CapabilityBoundingSet=
+
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+PrivateUsers=true
+ProcSubset=pid
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=noaccess
+ProtectSystem=strict
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+SystemCallArchitectures=native
+SystemCallFilter=~@clock
+SystemCallFilter=~@cpu-emulation
+SystemCallFilter=~@debug
+SystemCallFilter=~@module
+SystemCallFilter=~@mount
+SystemCallFilter=~@obsolete
+SystemCallFilter=~@privileged
+SystemCallFilter=~@raw-io
+SystemCallFilter=~@reboot
+SystemCallFilter=~@swap
+
+[Install]
+WantedBy=multi-user.target