[Unit]
Description=Prysm slasher
After=network-online.target

[Service]
DynamicUser=true
ExecStart=/usr/bin/prysm.slasher --datadir=/var/lib/prysm/slasher
Restart=always
StateDirectory=prysm/slasher

NoNewPrivileges=yes
CapabilityBoundingSet=
SystemCallArchitectures=native
SystemCallFilter=@system-service

PrivateDevices=yes
PrivateUsers=yes
PrivateTmp=yes

ProtectSystem=strict
ProtectClock=yes
ProtectHome=true
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes

RestrictAddressFamilies=AF_INET AF_INET6
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes

[Install]
WantedBy=default.target