[Unit]
Description=myapp
After=network.target iptables.service mariadb.service
# Location of this file would be /etc/systemd/system/myapp.service (on redhat and debian)

[Service]
Type=simple
User=myuser
Group=myuser
#WorkingDirectory=/srv/myapp
#ExecStart=/srv/myapp/myapp
ExecStart=/myapp
Restart=always
RestartSec=1m
#Environment=USER=x HOME=/home/x

# Hardening
NoNewPrivileges=true
PrivateTmp=true
PrivateMounts=true
PrivateDevices=true
ProtectSystem=full
ProtectHostname=true
ProtectKernelTunables=true
ProcSubset=pid
RestrictSUIDSGID=true
PrivateUsers=true
RootDirectory=/srv/myapp
BindReadOnlyPaths=/etc/resolv.conf
# ^ Golang needs this file or else DNS won't work, even if the file is empty
InaccessiblePaths=/bin /boot /lib /lib64 /media /mnt /opt /root /sbin /usr /var
# ^ This isn't really needed as RootDirectory makes them unavailable anyways
StandardOutput=append:/srv/myapp/stdout.log
StandardError=inherit

[Install]
WantedBy=multi-user.target