[Unit] Description=Fabio proxy After=syslog.target After=network.target [Service] LimitMEMLOCK=infinity LimitNOFILE=65535 Type=simple User=fabio Group=fabio WorkingDirectory=/ ExecStart=/usr/bin/fabio Restart=always # no need that fabio messes with /dev PrivateDevices=yes # dedicated /tmp PrivateTmp=yes # make /usr, /boot, /etc read only ProtectSystem=full # /home is not accessible at all ProtectHome=yes # to be able to bind port < 1024 AmbientCapabilities=CAP_NET_BIND_SERVICE NoNewPrivileges=yes # only ipv4, ipv6, unix socket and netlink networking is possible # netlink is necessary so that fabio can list available IPs on startup RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK