[Unit]
Description=kiss-ftpd FTP daemon
After=network-online.target
Wants=network-online.target
StartLimitIntervalSec=0
Documentation=https://code.moparisthebest.com/moparisthebest/kiss-ftpd
Documentation=https://github.com/moparisthebest/kiss-ftpd

[Service]
ExecStart=/usr/bin/kiss-ftpd
Restart=always
RestartSec=1s
User=ftp
Group=ftp
WorkingDirectory=/srv/ftp
ReadWritePaths=/srv/ftp
Environment=KISS_FTPD_LOG_LEVEL=WARN

# anything under here isn't strictly needed, but probably good
# to lock this down with the minimal permissions necessary
# which are not many at all
ProtectSystem=strict
ProtectHome=true
PrivateTmp=true
PrivateDevices=true
ProtectHostname=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
RestrictAddressFamilies=AF_INET AF_INET6
RestrictNamespaces=net
LockPersonality=true
MemoryDenyWriteExecute=true
RestrictRealtime=true
RestrictSUIDSGID=true
RemoveIPC=true
SystemCallArchitectures=native
# these are just needed to bind to low ports
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target