[Unit]
Description=Arav's dwelling / Radio / EZStream
Requires=dwelling-radio.service icecast.service
After=network-online.target dwelling-radio.service icecast.service

[Service]
Type=simple
Restart=on-failure
User=dwelling-radio
DynamicUser=yes
ExecStart=/usr/bin/ezstream -c /etc/dwelling/ezstream.xml
ExecStop=/bin/kill -INT $MAINPID
ExecReload=/bin/kill -HUP $MAINPID

ReadOnlyPaths=/

LogsDirectory=dwelling-radio

AmbientCapabilities=
CapabilityBoundingSet=

LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
PrivateUsers=true
ProcSubset=pid
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectProc=noaccess
ProtectSystem=strict
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
SystemCallArchitectures=native
SystemCallFilter=~@clock
SystemCallFilter=~@cpu-emulation
SystemCallFilter=~@debug
SystemCallFilter=~@module
SystemCallFilter=~@mount
SystemCallFilter=~@obsolete
SystemCallFilter=~@privileged
SystemCallFilter=~@raw-io
SystemCallFilter=~@reboot
SystemCallFilter=~@swap

[Install]
WantedBy=multi-user.target