# It is not recommended to modify this file in-place, because it will
# be overwritten during package upgrades. If you want to add further
# options or overwrite existing ones then use
# $ systemctl edit lightningd.service
# See "man systemd.service" for details.

# Note that almost all daemon options could be specified in
# /etc/lightningd/lightningd.conf

[Unit]
Description=Core Lightning daemon
Requires=bitcoind.service
After=bitcoind.service
Wants=network-online.target
After=network-online.target

[Service]
ExecStart=/usr/bin/lightningd --conf /etc/lightningd/lightningd.conf --pid-file=/run/lightningd/lightningd.pid

# Creates /run/lightningd owned by bitcoin
RuntimeDirectory=lightningd
# Creates /etc/lightningd owned by bitcoin
ConfigurationDirectory=lightningd

User=bitcoin
Group=bitcoin
Type=simple
PIDFile=/run/lightningd/lightningd.pid
Restart=on-failure

# Hardening measures
####################

# Provide a private /tmp and /var/tmp.
PrivateTmp=true

# Mount /usr, /boot/ and /etc read-only for the process.
ProtectSystem=full

# Disallow the process and all of its children to gain
# new privileges through execve().
NoNewPrivileges=true

# Use a new /dev namespace only populated with API pseudo devices
# such as /dev/null, /dev/zero and /dev/random.
PrivateDevices=true

# Deny the creation of writable and executable memory mappings.
# NOTE: This seems to break node.js plugins, notably Ride-The-Lightning/c-lightning-REST:
#  https://github.com/Ride-The-Lightning/c-lightning-REST/issues/116
MemoryDenyWriteExecute=true

[Install]
WantedBy=multi-user.target