[Service]
# use a persistent user so that nftables can use it for skuid rules
DynamicUser=false

MemoryDenyWriteExecute=true
RemoveIPC=true
ProcSubset=pid
ProtectProc=invisible
Restart=always