# RaspiBlitz: systemd unit for bitcoind
# based  on https://github.com/bitcoin/bitcoin/blob/master/contrib/init/bitcoind.service
[Unit]
Description=Bitcoin daemon

After=network-online.target
Wants=network-online.target

# for use with sendmail alert
#OnFailure=systemd-sendmail@%n

[Service]
ExecStartPre=-/home/admin/config.scripts/blitz.systemd.sh log blockchain STARTED
ExecStart=/usr/local/bin/bitcoind -daemonwait \
                                  -conf=/mnt/hdd/bitcoin/bitcoin.conf \
                                  -datadir=/mnt/hdd/bitcoin \
                                  -debuglogfile=/mnt/hdd/bitcoin/debug.log

# Make sure the config directory is readable by the service user
PermissionsStartOnly=true
ExecStartPre=/bin/chgrp bitcoin /mnt/hdd/bitcoin

# Process management
####################
Type=forking
Restart=on-failure
TimeoutStartSec=infinity
TimeoutStopSec=600

# Directory creation and permissions
####################################
# Run as bitcoin:bitcoin
User=bitcoin
Group=bitcoin

StandardOutput=null
StandardError=journal

# Hardening measures
####################
# Provide a private /tmp and /var/tmp.
PrivateTmp=true
# Mount /usr, /boot/ and /etc read-only for the process.
ProtectSystem=full
# Deny access to /home, /root and /run/user
ProtectHome=true
# Disallow the process and all of its children to gain
# new privileges through execve().
NoNewPrivileges=true
# Use a new /dev namespace only populated with API pseudo devices
# such as /dev/null, /dev/zero and /dev/random.
PrivateDevices=true
# Deny the creation of writable and executable memory mappings.
MemoryDenyWriteExecute=true

[Install]
WantedBy=multi-user.target