[Unit]
Description={{ service_description }}

[Service]
Type=simple
ExecStart={{ script_path | quote }}
User={{ system_user }}
Group={{ system_user }}

UMask=007
PrivateTmp=yes
PrivateDevices=yes
ProtectHome=yes
ReadOnlyPaths=/
ReadWritePaths=-{{ data_path }}

ProtectKernelModules=true
ProtectKernelTunables=true
ProtectControlGroups=true
RestrictRealtime=true
RestrictNamespaces=true

ProtectSystem=full