root@alpha:~# systemctl cat uwsgi-app@bepasty-moep.service  --no-pager
# /usr/lib/systemd/system/uwsgi-app@.service
[Unit]
Description=%i uWSGI app
Documentation=man:uwsgi(1) file:/usr/share/doc/uwsgi-core/README.Debian

[Service]
ExecStart=/usr/bin/uwsgi --ini /etc/uwsgi/apps-available/%i.ini
User=www-%i
Group=www-data
DynamicUser=yes
StateDirectory=uwsgi/%i
KillSignal=SIGQUIT
Type=notify

# /etc/systemd/system/uwsgi-app@bepasty-moep.service.d/override.conf
[Service]

Security lockdown.
[Service]
#CacheDirectory=%p
CapabilityBoundingSet=
#DevicePolicy=closed
#DynamicUser=yes
# Group=
#IPAddressDeny=any
LockPersonality=yes
MemoryDenyWriteExecute=yes
PrivateDevices=yes
#PrivateNetwork=yes
PrivateUsers=yes
ProcSubset=pid
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
#ProtectProc=invisible
#ProtectSystem=strict
RestrictAddressFamilies=AF_UNIX
#RestrictAddressFamilies=AF_UNIX, AF_INET, AF_INET6
#RestrictNamespaces=yes
RestrictRealtime=yes
#SystemCallArchitectures=native
#SystemCallFilter=@system-service
#SystemCallFilter=~@privileged @resources
UMask=0007
#User=
ReadOnlyPaths=/usr/share/javascript/bepasty-pygments /usr/lib/python3/dist-packages/bepasty
ReadWritePaths=/srv/bepasty/moep