[Unit]
Description=Highly configurable OOM prevention daemon
Documentation=man:nohang(1) https://github.com/hakavlad/nohang
After=system.slice

[Service]
ExecStart=:TARGET_BIN:/nohang --config :TARGET_CONF:/nohang/nohang.conf
SyslogIdentifier=nohang
Restart=always
RestartSec=0
KillMode=mixed
TasksMax=100
Nice=-5
CPUSchedulingResetOnFork=true
OOMScoreAdjust=-5
UMask=0027
PrivateNetwork=true
PrivateTmp=true
RestrictRealtime=yes
MemoryDenyWriteExecute=yes
ProtectKernelModules=true
SystemCallArchitectures=native
ReadOnlyPaths=/
ReadWritePaths=/tmp /var /run /dev/shm
CapabilityBoundingSet=CAP_KILL CAP_IPC_LOCK CAP_SYS_PTRACE CAP_DAC_READ_SEARCH CAP_AUDIT_WRITE CAP_SETUID CAP_SETGID CAP_SYS_RESOURCE
AmbientCapabilities=CAP_KILL CAP_IPC_LOCK CAP_SYS_PTRACE CAP_DAC_READ_SEARCH CAP_AUDIT_WRITE CAP_SETUID CAP_SETGID CAP_SYS_RESOURCE

[Install]
WantedBy=multi-user.target