[Unit]
Description=leguichet-in daemon
After=network.target

[Service]
Type=simple
User=leguichet-in
Group=leguichet-in
EnvironmentFile=/etc/default/leguichet-in
ExecStart=/usr/bin/leguichet-in -i ${GUICHETIN} -d ${DIODEIN} -l ${LOG} -c ${CLAMAV_IP} -p ${CLAMAV_PORT}  
Restart=always
SystemCallFilter=~ptrace
PrivateDevices=true
ProtectSystem=full
InaccessiblePaths=/proc
RemoveIPC=true
RestrictSUIDSGID=true
ProtectKernelModules=true
TemporaryFileSystem=/var:ro
BindPaths=/home/in/ /var/log/leguichet-in/ /run/diode-in/
BindReadOnlyPaths=/etc/default

[Install]
WantedBy=multi-user.target