Shiori

wget https://github.com/go-shiori/shiori/releases/download/v1.5.0/shiori-linux-amd64
sudo mkdir /var/lib/shiori
sudo mv shiori-linux-amd64 /usr/bin/shiori
sudo systemctl enable --now shiori
sudo chmod +x /usr/bin/shiori

/etc/systemd/system/shiori.service

[Unit]
Description=shiori service
Requires=network-online.target
After=network-online.target

[Service]
Type=simple
ExecStart=/usr/bin/shiori serve
Restart=always
User=shiori
Group=shiori

Environment="SHIORI_DIR=/var/lib/shiori"
DynamicUser=true
PrivateUsers=true
ProtectHome=true
ProtectKernelLogs=true
RestrictAddressFamilies=AF_INET AF_INET6
StateDirectory=shiori
SystemCallErrorNumber=EPERM
SystemCallFilter=@system-service
SystemCallFilter=~@chown
SystemCallFilter=~@keyring
SystemCallFilter=~@memlock
SystemCallFilter=~@setuid
DeviceAllow=

CapabilityBoundingSet=
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProtectControlGroups=true
ProtectKernelTunables=true
ProtectSystem=full
ProtectClock=true
ProtectKernelModules=true
ProtectProc=noaccess
ProtectHostname=true
ProcSubset=pid
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
SystemCallArchitectures=native
SystemCallFilter=~@clock
SystemCallFilter=~@debug
SystemCallFilter=~@module
SystemCallFilter=~@mount
SystemCallFilter=~@raw-io
SystemCallFilter=~@reboot
SystemCallFilter=~@privileged
SystemCallFilter=~@resources
SystemCallFilter=~@cpu-emulation
SystemCallFilter=~@obsolete
UMask=0077

[Install]
WantedBy=multi-user.target

sudo service shiori start