[Unit]
Description=leguichet-transit daemon
After=network.target

[Service]
Type=simple
User=leguichet-transit
Group=leguichet-transit
EnvironmentFile=/etc/default/leguichet-transit
ExecStart=/usr/bin/leguichet-transit -t ${TRANSIT} -i ${DIODEIN} -o ${DIODEOUT} -l ${LOG}
Restart=always
SystemCallFilter=~ptrace
PrivateDevices=yes
ProtectSystem=full
InaccessiblePaths=/proc
RemoveIPC=true
RestrictSUIDSGID=true
ProtectKernelModules=true

[Install]
WantedBy=multi-user.target