service unit file sample

opt.service

[Unit]
Description=/opt/bin/%N
After=network.target

[Service]
SecureBits=no-setuid-fixup-locked noroot-locked keep-caps
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
SystemCallFilter=@basic-io @network-io @io-event

Restart=always
RestartSec=0

ExecStart=/opt/bin/%N

# Slurp environment variables up from this file
EnvironmentFile=/etc/default/%N

# These define: ${TYPE}_DIRECTORY for the unit
CacheDirectory=%N
ConfigurationDirectory=%N
StateDirectory=%N
RuntimeDirectory=%N

# DynamicUser implies much of what follows
DynamicUser=true

# Security bits
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RemoveIPC=yes
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes

KeyringMode=private
ProtectSystem=strict
SystemCallArchitectures=native
SystemCallErrorNumber=EPERM
SystemCallFilter=@system-service

[Install]
WantedBy=multi-user.target