[Unit]
Description=SSO Server
After=network.target auth-server.socket

[Service]
User=sso-server
Group=sso-server
EnvironmentFile=-/etc/default/sso-server
ExecStart=/usr/bin/sso-server --addr $ADDR
Restart=always

# Hardening
NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
ProtectHome=yes
ProtectSystem=full
ReadOnlyDirectories=/
CapabilityBoundingSet=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target