[Unit]
Description=Send secure messages to Signal clients
Wants=network-online.target
After=network-online.target
Requires=signal-cli-socket.socket

[Service]
CapabilityBoundingSet=
Environment="SIGNAL_CLI_OPTS=-Xms2m"
# Update 'ReadWritePaths' if you change the config path here
ExecStart=%dir%/bin/signal-cli --config /var/lib/signal-cli daemon
LockPersonality=true
NoNewPrivileges=true
PrivateDevices=true
PrivateIPC=true
PrivateTmp=true
PrivateUsers=true
ProcSubset=pid
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectProc=invisible
ProtectSystem=strict
# Profile pictures and attachments to upload must be located here for the service to access them
ReadWritePaths=/var/lib/signal-cli
RemoveIPC=true
RestrictAddressFamilies=AF_INET AF_INET6
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
StandardInput=socket
StandardOutput=journal
StandardError=journal
SystemCallArchitectures=native
SystemCallFilter=~@debug @mount @obsolete @privileged @resources
UMask=0077
# Create the user and home directory with 'useradd -r -U -s /usr/sbin/nologin -m -b /var/lib signal-cli'
User=signal-cli

[Install]
Also=signal-cli-socket.socket
WantedBy=default.target