[Unit]
Description=AdGuard Home: Network-level blocker
After=syslog.target network-online.target

[Service]
DynamicUser=true
StateDirectory=adguardhome
WorkingDirectory=/var/lib/adguardhome
AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_RAW
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_NET_RAW
ExecStart=/usr/bin/adguardhome -w /var/lib/adguardhome -l syslog

PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
PrivateDevices=true
ProtectKernelTunables=true
ProtectControlGroups=true
NoNewPrivileges=true
MemoryDenyWriteExecute=true
LockPersonality=true
ProtectHostname=true

[Install]
WantedBy=multi-user.target