====== Information ======

  * https://www.freedesktop.org/software/systemd/man/systemd.exec.html

====== Relatively Safe ======

  * These shouldn't break anything, but check ''MemoryDenyWriteExecute'' and ''RestrictNamespaces'' first should something break

<code>
ProtectSystem=true
ProtectHome=true
PrivateTmp=true
PrivateDevices=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
RestrictNamespaces=true
MemoryDenyWriteExecute=true
RestrictRealtime=true</code>

====== Service-Specific ======

  * ''ReadOnlyPaths'' and ''ReadWritePaths'' are space-separated

  NoNewPrivileges=true

  PrivateUsers=true

  PrivateNetwork=true

  ReadOnlyPaths='x' 'x'

  ReadWritePaths='x' 'x'

  LockPersonality=true