simplify systemd service config

Author: wojcik91

nix/nixos-module.nix

@@ -42,38 +42,20 @@ in {
       after = ["network-online.target"];
       serviceConfig = {
         ExecStart = "${cfg.package}/bin/defguard-service --log-level ${cfg.logLevel} --stats-period ${toString cfg.statsPeriod}";
-        Restart = "on-failure";
-        RestartSec = 5;
-        User = "defguard";
+        ExecReload = "/bin/kill -HUP $MAINPID";
         Group = "defguard";
-        StateDirectory = "defguard-service";
-        LogsDirectory = "defguard-service";
-        # Add capabilities to manage network interfaces
-        CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_MODULE";
-        AmbientCapabilities = "CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_MODULE";
-        # Allow access to /dev/net/tun for TUN/TAP devices
-        DeviceAllow = "/dev/net/tun rw";
-        # Access to /sys for network configuration
-        BindReadOnlyPaths = [
-          "/sys"
-          "/proc"
-        ];
-        # Protect the system while giving necessary access
-        ProtectSystem = "strict";
-        ProtectHome = true;
-        NoNewPrivileges = true;
-        # Allow the service to manage network namespaces
-        PrivateNetwork = false;
+        Restart = "on-failure";
+        RestartSec = 2;
+        KillMode = "process";
+        KillSignal = "SIGINT";
+        LimitNOFILE = 65536;
+        LimitNPROC = "infinity";
+        TasksMax = "infinity";
+        OOMScoreAdjust = -1000;
       };
     };
 
-    # Setup defguard user & group
-    users.users.defguard = {
-      isSystemUser = true;
-      group = "defguard";
-    };
-
-    # Make sure the group exists
+    # Make sure the defguard group exists
     users.groups.defguard = {};
   };
 }