Hardened systemd unit.

init/systemd/dwelling-radio.service

@@ -4,9 +4,32 @@ After=network-online.target
 
 [Service]
 Type=simple
-Restart=on-failure
 User=dwradio
+Group=dwradio
 ExecStart=/usr/bin/dwelling-radio -conf /etc/dwelling/radio.yaml
+LogsDirectory=dwelling-radio
+RuntimeDirectory=dwelling-radio
+Restart=on-failure
+
+AmbientCapabilities=
+CapabilityBoundingSet=
+
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=strict
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+SystemCallArchitectures=native
 
 [Install]
 WantedBy=multi-user.target