[Unit]
Description=Annual expense tracker
ConditionPathExists=/usr/local/bin/create-expense

[Service]
Type=simple
User=annualexpense
Group=annualexpense
LimitNOFILE=1024
LockPersonality=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProtectControlGroups=true
ProtectHome=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=full
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=true
RestrictRealtime=true
SystemCallArchitectures=native
AmbientCapabilities=CAP_NET_BIND_SERVICE
Restart=on-failure
RestartSec=10
SyslogIdentifier=create-expanse
WorkingDirectory=/home/annualexpense
ExecStart=/usr/local/bin/create-expense

[Install]
WantedBy=multi-user.target