[Unit]
Wants=knot.service
After=knot.service

[Service]
Restart=on-failure
EnvironmentFile=/usr/local/etc/hinfo.network-proxy.public
EnvironmentFile=/usr/local/etc/hinfo.network-proxy.private
StandardError=append:/var/log/hinfo.network-proxy
ExecStart=/usr/local/libexec/hinfo.network-proxy %i ${PUBKEY}
DynamicUser=true
ProtectSystem=strict
CapabilityBoundingSet=
RestrictAddressFamilies=AF_INET AF_INET6
MemoryDenyWriteExecute=yes
ProtectHome=yes
ProtectProc=ptraceable
ProcSubset=pid
SystemCallArchitectures=native
ProtectKernelLogs=yes
PrivateDevices=yes
ProtectClock=yes
ProtectControlGroups=yes
ProtectKernelModules=yes
RestrictNamespaces=true
ProtectKernelTunables=yes
ProtectHostname=yes
RestrictRealtime=yes
PrivateUsers=yes
LockPersonality=yes
UMask=0777
SystemCallFilter=~@clock @cpu-emulation @debug @module @mount @obsolete @privileged @raw-io @reboot @resources @swap


[Install]
WantedBy=multi-user.target