[Unit]
Description=User Private Key Store
After=network.target

[Service]
User=keystored
Group=keystored
EnvironmentFile=-/etc/default/keystored
ExecStart=/usr/bin/keystored --addr $ADDR
Restart=always

# Hardening
NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
ProtectHome=yes
ProtectSystem=full
ReadOnlyDirectories=/
CapabilityBoundingSet=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target