ixti · August 29, 2023 16:15
diff --git a/twingate.service b/twingate.service
 [Unit]
 Description=Twingate Remote Access Client
 Wants=network-pre.target
 After=network-pre.target NetworkManager.service systemd-resolved.service

 [Service]
 ExecStart=/usr/sbin/twingated /etc/twingate/config.json
 Restart=on-failure
 RestartSec=5s
 RuntimeDirectory=twingate
 RuntimeDirectoryMode=0755
 StateDirectory=twingate
 StateDirectoryMode=0700
 WorkingDirectory=/var/lib/twingate
 ConfigurationDirectory=twingate

 ProtectSystem=true
 ProtectHome=yes
 PrivateTmp=yes
 NoNewPrivileges=yes
 ProtectControlGroups=yes
 RestrictSUIDSGID=yes
 ProtectKernelLogs=yes
 ProtectKernelModules=yes
 ProtectHostname=yes
 CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_ADMIN
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
 RestrictNamespaces=~user
 SystemCallArchitectures=native
 LockPersonality=yes
 MemoryDenyWriteExecute=yes
 RestrictRealtime=yes

 [Install]
 WantedBy=multi-user.target
	[Unit]
	Description=Twingate Remote Access Client
	Wants=network-pre.target
	After=network-pre.target NetworkManager.service systemd-resolved.service

	[Service]
	ExecStart=/usr/sbin/twingated /etc/twingate/config.json
	Restart=on-failure
	RestartSec=5s
	RuntimeDirectory=twingate
	RuntimeDirectoryMode=0755
	StateDirectory=twingate
	StateDirectoryMode=0700
	WorkingDirectory=/var/lib/twingate
	ConfigurationDirectory=twingate

	ProtectSystem=true
	ProtectHome=yes
	PrivateTmp=yes
	NoNewPrivileges=yes
	ProtectControlGroups=yes
	RestrictSUIDSGID=yes
	ProtectKernelLogs=yes
	ProtectKernelModules=yes
	ProtectHostname=yes
	CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_ADMIN
	RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
	RestrictNamespaces=~user
	SystemCallArchitectures=native
	LockPersonality=yes
	MemoryDenyWriteExecute=yes
	RestrictRealtime=yes

	[Install]
	WantedBy=multi-user.target