[Unit]
Description=Arav's dwelling / Radio / Liquidsoap
Requires=icecast.service
After=network-online.target icecast.service

[Service]
Type=simple
Restart=on-failure
User=dwelling-radio
DynamicUser=yes
ExecStart=/opt/opam/default/bin/liquidsoap /etc/dwelling/radio.liq
ExecStop=/bin/kill -INT $MAINPID

ReadOnlyPaths=/

LogsDirectory=dwelling-radio

AmbientCapabilities=
CapabilityBoundingSet=

LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
PrivateUsers=true
ProcSubset=pid
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectProc=noaccess
ProtectSystem=strict
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
SystemCallArchitectures=native
SystemCallFilter=~@clock
SystemCallFilter=~@cpu-emulation
SystemCallFilter=~@debug
SystemCallFilter=~@module
SystemCallFilter=~@mount
SystemCallFilter=~@obsolete
SystemCallFilter=~@privileged
SystemCallFilter=~@raw-io
SystemCallFilter=~@reboot
SystemCallFilter=~@swap

[Install]
WantedBy=multi-user.target