[Unit]
Description=Nexus 3 Repository OSS
After=network.target

[Service]
Type=simple
LimitNOFILE=65536
User=nexus
Group=nexus
RuntimeDirectory=nexus-oss
LogsDirectory=nexus-oss
StateDirectory=nexus-oss
WorkingDirectory=/usr/lib/nexus-oss
ExecStart=/usr/bin/nexus-oss start
Restart=always
RestartSec=5s
AmbientCapabilities=
CapabilityBoundingSet=
LockPersonality=true
NoNewPrivileges=True
SecureBits=noroot-locked
PrivateDevices=true
PrivateTmp=true
PrivateUsers=true
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectProc=invisible
ProtectSystem=full
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallErrorNumber=EPERM

[Install]
WantedBy=multi-user.target