archy/image-recipe/configs/archipelago.service

[Unit]
Description=Archipelago Backend
After=network-online.target archipelago-setup-tor.service
Wants=network-online.target

[Service]
Type=notify
User=archipelago
Environment="ARCHIPELAGO_BIND=0.0.0.0:5678"
Environment="ARCHIPELAGO_DEV_MODE=true"
ExecStartPre=/bin/bash -c 'mkdir -p /var/lib/archipelago && echo "ARCHIPELAGO_HOST_IP=$(hostname -I 2>/dev/null | awk "{print $$1}")" > /var/lib/archipelago/host-ip.env'
ExecStart=/usr/local/bin/archipelago
Restart=on-failure
RestartSec=5
WatchdogSec=300
TimeoutStartSec=300

# Filesystem protection
ProtectSystem=strict
ProtectHome=yes
PrivateTmp=yes
ReadWritePaths=/var/lib/archipelago

# Privilege restriction
NoNewPrivileges=yes
# PrivateDevices=no: serial access to /dev/ttyUSB* needed for mesh radios.
# Device access still gated by Unix permissions (dialout group) + other sandboxing.
PrivateDevices=no
SupplementaryGroups=dialout

# Network restriction (allow only IPv4/IPv6 + Unix sockets)
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6

# Restrict what the process can do
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes

# Only allow needed syscalls
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources

# Memory protection
MemoryDenyWriteExecute=yes

# Logging
StandardOutput=journal
StandardError=journal

[Install]
WantedBy=multi-user.target