[Service]
StandardError=journal
User=nobody
Group=nogroup

# sandboxing options, see systemd.exec(5)
NoNewPrivileges=yes
PrivateNetwork=yes
PrivateDevices=yes
PrivateTmp=yes
ProtectHome=yes
ReadOnlyDirectories=/
SystemCallArchitectures=native
RestrictRealtime=yes
ProtectControlGroups=yes
ProtectKernelModules=yes