[Unit]
Description=OONI Probe CLI
Documentation=man:ooniprobe-cli
#Documentation=file:///usr/share/doc/ooniprobe-cli/html/index.html
Documentation=https://ooni.org/
After=network.target tor.target
Wants=network-online.target
ConditionPathExists=/etc/ooniprobe/ooniprobe.conf

[Service]
Type=simple
ExecStart=/usr/bin/ooniprobe --config=/etc/ooniprobe/ooniprobe.conf run unattended
TimeoutStopSec=5
KillMode=mixed

Environment="OONI_HOME=/var/lib/ooniprobe"
User=ooniprobe
PermissionsStartOnly=true
Restart=on-abnormal
RestartSec=2s
LimitNOFILE=65536
WorkingDirectory=/var/lib/ooniprobe

# Sandboxing
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
LockPersonality=yes
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
PrivateUsers=yes
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=full
ReadOnlyDirectories=/
ReadWriteDirectories=-/proc
ReadWriteDirectories=-/var/log/ooniprobe
ReadWriteDirectories=-/var/lib/ooniprobe
ReadWriteDirectories=-/var/run
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=yes
RestrictRealtime=yes
SystemCallArchitectures=native
SystemCallFilter=@system-service

[Install]
WantedBy=multi-user.target