[Service]
Restart=on-failure
ExecStart=/usr/local/libexec/hinfo.network-notify 0.0.0.0
ProtectSystem=strict
MemoryDenyWriteExecute=yes
ProtectProc=ptraceable
ProcSubset=pid
SystemCallArchitectures=native
ProtectKernelLogs=yes
PrivateDevices=yes
ProtectClock=yes
ProtectControlGroups=yes
ProtectKernelModules=yes
RestrictNamespaces=true
ProtectKernelTunables=yes
ProtectHostname=yes
RestrictRealtime=yes
LockPersonality=yes
UMask=0777
SystemCallFilter=~@clock @cpu-emulation @debug @module @mount @obsolete @raw-io @reboot @resources @swap


[Install]
WantedBy=multi-user.target