[Unit]
Description=steffen Xxx/Rfs Webservice
After=network.target syslog.socket
StartLimitBurst=5
StartLimitIntervalSec=10

[Service]
Type=forking
User=steffen-xxx
Group=webapps
WorkingDirectory=/opt/xxx/app
ExecStart=/usr/bin/hypnotoad ./script/XxxApp
ExecReload=/usr/bin/hypnotoad ./script/XxxApp
Restart=on-failure
PIDFile=/run/xxx.pid
KillMode=process

# Optional hardening to improve security
ReadWritePaths=/opt/xxx
NoNewPrivileges=yes
MemoryDenyWriteExecute=true
PrivateDevices=yes
PrivateTmp=yes
ProtectHome=yes
#ProtectSystem=strict
ProtectControlGroups=true
#RestrictSUIDSGID=true
RestrictRealtime=true
LockPersonality=true
#ProtectKernelLogs=true
ProtectKernelTunables=true
#ProtectHostname=true
ProtectKernelModules=true
PrivateUsers=true
#ProtectClock=true
SystemCallArchitectures=native
SystemCallErrorNumber=EPERM
SystemCallFilter=@system-service

[Install]
WantedBy=multi-user.target