From ad63b8b1b439ce89ed2576e1d2947dea5fc92f63 Mon Sep 17 00:00:00 2001
From: jvoisin <julien.voisin@dustri.org>
Date: Sat, 21 Mar 2020 12:57:15 +0100
Subject: [PATCH] Add a systemd startup unit

---
 README.md                 |  6 ++++++
 contrib/navidrome.service | 38 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 44 insertions(+)
 create mode 100644 contrib/navidrome.service

diff --git a/README.md b/README.md
index 3dc75be42..eeecb8267 100644
--- a/README.md
+++ b/README.md
@@ -135,6 +135,12 @@ user.
 
 For more options, run `navidrome --help` 
 
+### Running as a service
+
+Check the [contrib](https://github.com/deluan/navidrome/tree/master/contrib)
+folder for startup files for your init system.
+
+
 ## Screenshots
 
 <p align="center">
diff --git a/contrib/navidrome.service b/contrib/navidrome.service
new file mode 100644
index 000000000..361c95e72
--- /dev/null
+++ b/contrib/navidrome.service
@@ -0,0 +1,38 @@
+# This file ususaly goes in /etc/systemd/system
+
+[Unit]
+Description=Navidrome Daemon
+After=network.target
+
+[Service]
+User=navidrome
+Group=navidrome
+Type=simple
+ExecStart=/opt/navidrome/navidrome
+WorkingDirectory=/opt/navidrome
+TimeoutStopSec=20
+KillMode=process
+Restart=on-failure
+
+# See https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+DevicePolicy=closed
+NoNewPrivileges=yes
+PrivateTmp=yes
+PrivateUsers=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+SystemCallFilter=~@clock @debug @module @mount @obsolete @privileged @reboot @setuid @swap
+ReadWritePaths=/opt/navidrome/
+PrivateDevices=yes
+ProtectSystem=full
+ProtectHome=true
+
+MemoryDenyWriteExecute=yes
+
+
+[Install]
+WantedBy=multi-user.target