tsproxy systemd service

tsproxy.service

[Unit]
Description=Tailscale Proxy
Wants=network-pre.target tailscaled.service
After=network-pre.target tailscaled.service
StartLimitIntervalSec=0

[Service]
EnvironmentFile=/etc/default/tsproxy
ExecStart=/usr/local/bin/tsproxy  \
    --state="${STATE_DIRECTORY}" \
    --port=80 \
    --upstream="my-app=http://127.0.0.1:8000;prometheus;funnel"
TimeoutStartSec=0
Restart=always
RestartSec=1
DynamicUser=yes
StateDirectory=tsproxy
StateDirectoryMode=0777
NoNewPrivileges=yes
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
PrivateTmp=yes
PrivateMounts=yes
PrivateDevices=yes
ProtectSystem=strict
ProtectHome=yes
ProtectHostname=yes
ProtectProc=noaccess
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectKernelLogs=yes
ProtectClock=yes
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
RestrictNamespaces=yes
SystemCallFilter=@system-service
RestrictRealtime=yes
RestrictSUIDSGID=yes
MemoryDenyWriteExecute=yes
LockPersonality=yes
SystemCallArchitectures=native

[Install]
WantedBy=multi-user.target