[Unit]
Description=CouchDB Server

[Service]
User=couchdb
Group=couchdb
Type=simple
WorkingDirectory=~
StateDirectory=couchdb
EnvironmentFile=/etc/default/couchdb
ExecStart=/usr/lib/couchdb/bin/couchdb
ReadWritePaths=/etc/couchdb/local.ini
Restart=always
RestartSec=2s
AmbientCapabilities=
CapabilityBoundingSet=
LockPersonality=true
# Not compatible with the use of JS
#MemoryDenyWriteExecute=true
NoNewPrivileges=True
PrivateDevices=true
PrivateTmp=true
PrivateUsers=true
ProtectClock=true
ProtectControlGroups=yes
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=yes
ProtectKernelTunables=true
ProtectProc=invisible
ProtectSystem=strict
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallErrorNumber=EPERM

[Install]
WantedBy=multi-user.target