[Unit]
Description=Daplie Tunnel Server
After=network-online.target
Wants=network-online.target systemd-networkd-wait-online.service

[Service]
# Always restart, unless it's restarting fast enough for us to believe it's completely broken
Restart=always
StartLimitInterval=10
StartLimitBurst=3

User=www-data
Group=www-data
WorkingDirectory=/srv/stunneld
# TODO needs --config option and these options should go in a config file
ExecStart=/srv/stunneld/bin/stunneld.js --servernames tunnel.example.com --secret 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' --email tunnel@example.com --agree-tos

CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
NoNewPrivileges=true

[Install]
WantedBy=multi-user.target