From f9ca5f299fb4db247f4ca7b572a8f8236af154fe Mon Sep 17 00:00:00 2001
From: Arian Nasr <arian@2ari.ca>
Date: Sun, 5 Apr 2026 17:04:14 -0400
Subject: [PATCH] add systemd service file

---
 contrib/navidrome-uploader.service | 47 ++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)
 create mode 100644 contrib/navidrome-uploader.service

diff --git a/contrib/navidrome-uploader.service b/contrib/navidrome-uploader.service
new file mode 100644
index 0000000..c20345f
--- /dev/null
+++ b/contrib/navidrome-uploader.service
@@ -0,0 +1,47 @@
+[Unit]
+Description=Navidrome Music Uploader Service
+After=network.target,navidrome.service
+
+[Service]
+Type=simple
+User=navidrome-uploader
+Group=navidrome-uploader
+WorkingDirectory=/opt/navidrome-uploader
+Environment="PATH=/opt/navidrome-uploader/venv/bin"
+EnvironmentFile=/etc/default/navidrome-uploader/.env
+ExecStart=/opt/navidrome-uploader/venv/bin/gunicorn -c gunicorn.conf.py main:app
+Restart=on-failure
+RestartSec=30
+
+NoNewPrivileges=yes
+CapabilityBoundingSet=
+AmbientCapabilities=
+
+ProtectSystem=strict
+ProtectHome=yes
+PrivateTmp=yes
+ReadWritePaths=/opt/uploader
+InaccessiblePaths=/boot /mnt /media
+
+PrivateDevices=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+ProtectControlGroups=yes
+ProtectClock=yes
+ProtectHostname=yes
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+LockPersonality=yes
+
+SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
+
+PrivateNetwork=no
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+UMask=0027
+
+
+[Install]
+WantedBy=multi-user.target
\ No newline at end of file