[Unit]
Description=GNU Shepherd Daemon
After=network.target
Wants=guix-daemon.service

[Service]
Type=forking
ExecStart=/usr/bin/bash -c "source $GUIX_PROFILE/etc/profile && shepherd"
ExecStop=herd stop root
ExecStopPost=rm %t/shepherd/socket -v
# disallow writing to /usr, /bin, /sbin, ...
# ProtectSystem=yes
Environment="GUIX_PROFILE=%h/.guix-profile"
Environment="GUIX_LOCPATH=%h/.guix-profile/lib/locale"

# # more paranoid security settings
# NoNewPrivileges=yes
# ProtectKernelTunables=yes
# ProtectControlGroups=yes
# # AF_NETLINK is required by libsmbclient, or it will exit() .. *sigh*
# RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK
# RestrictNamespaces=yes

[Install]
WantedBy=default.target