ixti/twingate.service

## twingate.service
[Unit]
Description=Twingate Remote Access Client
Wants=network-pre.target
After=network-pre.target NetworkManager.service systemd-resolved.service

[Service]
ExecStart=/usr/sbin/twingated /etc/twingate/config.json
Restart=on-failure
RestartSec=5s
RuntimeDirectory=twingate
RuntimeDirectoryMode=0755
StateDirectory=twingate
StateDirectoryMode=0700
WorkingDirectory=/var/lib/twingate
ConfigurationDirectory=twingate

ProtectSystem=true
ProtectHome=yes
PrivateTmp=yes
NoNewPrivileges=yes
ProtectControlGroups=yes
RestrictSUIDSGID=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectHostname=yes
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_ADMIN
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
RestrictNamespaces=~user
SystemCallArchitectures=native
LockPersonality=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes

[Install]
WantedBy=multi-user.target
	[Unit]
	Description=Twingate Remote Access Client
	Wants=network-pre.target
	After=network-pre.target NetworkManager.service systemd-resolved.service

	[Service]
	ExecStart=/usr/sbin/twingated /etc/twingate/config.json
	Restart=on-failure
	RestartSec=5s
	RuntimeDirectory=twingate
	RuntimeDirectoryMode=0755
	StateDirectory=twingate
	StateDirectoryMode=0700
	WorkingDirectory=/var/lib/twingate
	ConfigurationDirectory=twingate

	ProtectSystem=true
	ProtectHome=yes
	PrivateTmp=yes
	NoNewPrivileges=yes
	ProtectControlGroups=yes
	RestrictSUIDSGID=yes
	ProtectKernelLogs=yes
	ProtectKernelModules=yes
	ProtectHostname=yes
	CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_ADMIN
	RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
	RestrictNamespaces=~user
	SystemCallArchitectures=native
	LockPersonality=yes
	MemoryDenyWriteExecute=yes
	RestrictRealtime=yes

	[Install]
	WantedBy=multi-user.target