[Unit] Description=User Private Key Store After=network.target [Service] User=keystored Group=keystored EnvironmentFile=-/etc/default/keystored ExecStart=/usr/bin/keystored --addr $ADDR Restart=always # Hardening NoNewPrivileges=yes PrivateTmp=yes PrivateDevices=yes ProtectHome=yes ProtectSystem=full ReadOnlyDirectories=/ CapabilityBoundingSet=CAP_NET_BIND_SERVICE [Install] WantedBy=multi-user.target