From c61328a37e70f19cd22e1e9650ad04f65b24939c Mon Sep 17 00:00:00 2001
From: "Alexander \"Arav\" Andreev" <me@arav.top>
Date: Wed, 30 Mar 2022 18:51:33 +0400
Subject: [PATCH] Restricted rw, ro and exec paths. Moved Restart option on
 top.

---
 init/systemd/dwelling-radio.service | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/init/systemd/dwelling-radio.service b/init/systemd/dwelling-radio.service
index 8641ce0..e947c84 100755
--- a/init/systemd/dwelling-radio.service
+++ b/init/systemd/dwelling-radio.service
@@ -4,12 +4,19 @@ After=network-online.target
 
 [Service]
 Type=simple
+Restart=on-failure
 User=dwradio
 Group=dwradio
 ExecStart=/usr/bin/dwelling-radio -conf /etc/dwelling/radio.yaml
+
+ReadOnlyPaths=/
+# Set here path to directory where uploads are stored.
+ReadWritePaths=/srv/upload
+NoExecPaths=/
+ExecPaths=/usr/bin/dwelling-radio /usr/lib64
+
 LogsDirectory=dwelling-radio
 RuntimeDirectory=dwelling-radio
-Restart=on-failure
 
 AmbientCapabilities=
 CapabilityBoundingSet=