searxng/etc/systemd/system/searxng.service

[Unit]
Description=SearXNG service
Requires=docker.service nginx.service
Upholds=docker.service nginx.service
After=docker.service nginx.service

[Service]
Restart=on-failure

Environment=SEARXNG_DOCKERCOMPOSEFILE=/etc/searxng/docker-compose.yml

; WorkingDirectory=/var/lib/searxng
WorkingDirectory=/etc/searxng/searxng
Restart=always
RestartSec=7
ExecStartPre=/usr/bin/docker-compose -p searxng -f ${SEARXNG_DOCKERCOMPOSEFILE} down
ExecStart=/usr/bin/docker-compose -p searxng -f ${SEARXNG_DOCKERCOMPOSEFILE} up --remove-orphans
ExecStop=/usr/bin/docker-compose -p searxng -f ${SEARXNG_DOCKERCOMPOSEFILE} down

SystemCallFilter=~memfd_create @reboot @swap @cpu-emulation @debug @module @clock @raw-io @obsolete
ProtectProc=invisible
ProcSubset=pid
ProtectHome=true
; RestrictNamespaces=uts ipc pid user cgroup
RestrictNamespaces=true
NoNewPrivileges=true
#SecureBits=noroot-locked
ProtectSystem=strict
PrivateTmp=true
DevicePolicy=closed
PrivateDevices=true
PrivateUsers=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
LockPersonality=true
MemoryDenyWriteExecute=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictRealtime=true
RestrictSUIDSGID=true
SystemCallArchitectures=native

[Install]
WantedBy=multi-user.target