[Unit]
Description=AppGate driver service

[Service]
# Remove traces of appgate-resolver, if it wasn't terminated properly
ExecStartPre=/bin/sh -c "test -e /etc/resolv.appgate && (chattr -i /etc/resolv.conf || :; mv /etc/resolv.appgate /etc/resolv.conf) ||:"
ExecStart="/opt/appgate/tun-service"
Type=forking
Restart=always
ProtectHome=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
PrivateTmp=true
CapabilityBoundingSet=~CAP_SYS_ADMIN
CapabilityBoundingSet=~CAP_WAKE_ALARM
CapabilityBoundingSet=~CAP_SYSLOG
CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
CapabilityBoundingSet=~CAP_SYS_TIME
CapabilityBoundingSet=~CAP_SYS_RESOURCE
CapabilityBoundingSet=~CAP_SYS_PTRACE
CapabilityBoundingSet=~CAP_SYS_PACCT
CapabilityBoundingSet=~CAP_SYS_MODULE
CapabilityBoundingSet=~CAP_SYS_CHROOT
CapabilityBoundingSet=~CAP_SYS_BOOT
InaccessiblePaths=-/mnt -/srv -/boot -/media

[Install]
WantedBy=multi-user.target