After=network.target
[Service]
-# don't daemonize to simplify stuff
-ExecStart=/usr/sbin/ngircd -n
+Type=forking
+User=irc
+Group=irc
+CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_SYS_CHROOT CAP_NET_BIND_SERVICE
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectSystem=full
+ProtectHome=true
+NoNewPrivileges=true
+RuntimeDirectory=ircd
+RuntimeDirectoryMode=750
+ExecStart=/usr/sbin/ngircd
ExecReload=/bin/kill -HUP $MAINPID
+Restart=on-failure
[Install]
WantedBy=multi-user.target