[Unit]
Description=rebound service
After=network.target

[Service]
Type=simple
Restart=on-failure
EnvironmentFile=/etc/rebound/environ
ExecStart=/usr/bin/rebound
EnvironmentFile=/etc/rebound/environ
NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
PrivateUsers=yes
DynamicUser=yes
StateDirectory=rebound
DevicePolicy=closed
ProtectSystem=true
ProtectHome=read-only
ProtectKernelLogs=yes
ProtectProc=invisible
ProtectClock=yes
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
MemoryDenyWriteExecute=yes
LockPersonality=yes
CapabilityBoundingSet=~CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH  CAP_FOWNER CAP_IPC_OWNER CAP_NET_ADMIN CAP_WAKE_ALARM CAP_SYS_TTY_CONFIG 

[Install]
WantedBy=multi-user.target