[Unit] Description=syntax highlighting server [Service] Type=simple ExecStart=/usr/bin/uvicorn --app-dir @libdir@/cgit --port 4872 syntax-highlighting-server:app DynamicUser=yes IPAddressAllow=localhost IPAddressDeny=any LockPersonality=yes MemoryDenyWriteExecute=yes NoNewPrivileges=yes CapabilityBoundingSet= PrivateDevices=yes PrivateTmp=yes ProtectClock=yes ProtectControlGroups=yes ProtectHome=yes ProtectHostname=yes ProtectKernelModules=yes ProtectKernelTunables=yes ProtectKernelLogs=yes ProtectSystem=strict RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 RestrictNamespaces=yes RestrictRealtime=yes RestrictSUIDSGID=yes SystemCallArchitectures=native SystemCallFilter=@system-service [Install] WantedBy=multi-user.target