# Example systemd service unit for nfqws. Adjust for your installation. [Unit] After=network.target [Service] Type=notify Restart=on-failure ExecSearchPath=/opt/zapret/binaries/my ExecStart=nfqws @${CONFIG_FILE} Environment=CONFIG_FILE=/etc/zapret/nfqws.config StateDirectory=nfqws StateDirectoryMode=0700 WorkingDirectory=%S/nfqws DynamicUser=true AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW RestrictAddressFamilies=AF_NETLINK AF_UNIX AF_INET6 AF_INET LockPersonality=true MemoryDenyWriteExecute=true PrivateDevices=true PrivateMounts=true PrivateTmp=true ProcSubset=pid ProtectClock=true ProtectControlGroups=true ProtectHome=true ProtectHostname=true ProtectKernelLogs=true ProtectKernelModules=true ProtectKernelTunables=true ProtectProc=invisible ProtectSystem=strict RemoveIPC=true RestrictNamespaces=true RestrictRealtime=true RestrictSUIDSGID=true SystemCallArchitectures=native SystemCallFilter=@system-service SystemCallFilter=~@resources @privileged UMask=0077 [Install] WantedBy=multi-user.target