[Unit] Description=Archipelago Backend After=network-online.target archipelago-setup-tor.service Wants=network-online.target [Service] Type=notify User=archipelago Environment="ARCHIPELAGO_BIND=0.0.0.0:5678" Environment="ARCHIPELAGO_DEV_MODE=true" ExecStartPre=/bin/bash -c 'mkdir -p /var/lib/archipelago && echo "ARCHIPELAGO_HOST_IP=$(hostname -I 2>/dev/null | awk "{print $$1}")" > /var/lib/archipelago/host-ip.env' ExecStart=/usr/local/bin/archipelago Restart=on-failure RestartSec=5 WatchdogSec=300 TimeoutStartSec=300 # Filesystem protection ProtectSystem=strict ProtectHome=yes PrivateTmp=yes ReadWritePaths=/var/lib/archipelago # Privilege restriction NoNewPrivileges=yes PrivateDevices=yes # Network restriction (allow only IPv4/IPv6 + Unix sockets) RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 # Restrict what the process can do RestrictNamespaces=yes RestrictRealtime=yes RestrictSUIDSGID=yes # Only allow needed syscalls SystemCallArchitectures=native SystemCallFilter=@system-service SystemCallFilter=~@privileged @resources # Memory protection MemoryDenyWriteExecute=yes # Logging StandardOutput=journal StandardError=journal [Install] WantedBy=multi-user.target