[Unit]
Description=LiveKit Server (WebRTC SFU)
Documentation=https://docs.livekit.io/
Wants=network-online.target
After=network-online.target

[Service]
Type=simple

Environment="LIVEKIT_CONFIG_FILE=/etc/livekit/livekit.yaml"

ExecStart=/usr/sbin/livekit --config $LIVEKIT_CONFIG_FILE

User=livekit
Group=livekit
UMask=0077
WorkingDirectory=/var/lib/livekit

Restart=on-failure
RestartSec=2s
TimeoutStopSec=20s
KillMode=mixed

StateDirectory=livekit
RuntimeDirectory=livekit
LogsDirectory=livekit

NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
ProtectSystem=strict
ProtectHome=yes
ProtectControlGroups=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes
ProtectClock=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
RemoveIPC=yes
DevicePolicy=closed
KeyringMode=private
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK AF_PACKET
SystemCallArchitectures=native

[Install]
WantedBy=multi-user.target