[Service]
NoNewPrivileges=yes
ReadWritePaths=
ReadWritePaths=/run /var/lib/chrony -/var/log
Restart=always
RestartMaxDelaySec=10s
RestartSec=100ms
RestartSteps=5
RestrictAddressFamilies=~AF_NETLINK