ansible/roles/redis/instance/templates/redis.service

[Unit]
Description={{ service_description }}
After=network.target
Documentation=http://redis.io/documentation, man:redis-server(1)

[Service]
#Type=forking
Type=notify
ExecStart=/usr/bin/redis-server {{ configuration_file | quote }}
ExecStop=/bin/kill -s TERM $MAINPID
#PIDFile=/run/redis/redis-server.pid
TimeoutStopSec=0
Restart=always
User={{ system_user }}
Group={{ system_user }}
#RuntimeDirectory=redis
#RuntimeDirectoryMode=2755

UMask=007
PrivateTmp=yes
LimitNOFILE=65535
PrivateDevices=yes
ProtectHome=yes
ReadOnlyDirectories=/
ReadWriteDirectories=-{{ data_directory }}
ReadWriteDirectories=-{{ run_directory }}

NoNewPrivileges=true
CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SYS_RESOURCE
MemoryDenyWriteExecute=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectControlGroups=true
RestrictRealtime=true
RestrictNamespaces=true
RestrictAddressFamilies=AF_UNIX

ProtectSystem=full

[Install]
WantedBy=multi-user.target