From 3e52cead0d82dc61cf3f6dd313d0d05f63e8492a Mon Sep 17 00:00:00 2001
From: Sven Strickroth <email@cs-ware.de>
Date: Mon, 18 May 2026 17:56:24 +0200
Subject: [PATCH] Harden the systemd unit file

Signed-off-by: Sven Strickroth <email@cs-ware.de>
---
 README.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/README.md b/README.md
index 2670413..3bd5b2f 100644
--- a/README.md
+++ b/README.md
@@ -78,6 +78,14 @@ Type = notify
 User = www-data
 Restart = always
 RestartSec = 60
+ProtectSystem=full
+PrivateDevices=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectControlGroups=true
+RestrictRealtime=true
+RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
+RestrictNamespaces=true
 
 [Install]
 WantedBy = multi-user.target