[Unit]
Description=SSL/SSH multiplexer (select mode) for %I
After=network.target

[Service]
EnvironmentFile=/etc/conf.d/sslh
ExecStart=/usr/bin/sslh-select -f -F/etc/sslh/%I.cfg
KillMode=process
ProtectSystem=strict
ProtectHome=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectControlGroups=true
PrivateTmp=true
PrivateDevices=true
SecureBits=noroot-locked
MountFlags=private
NoNewPrivileges=true
CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
MemoryDenyWriteExecute=true
User=sslh
DynamicUser=true

[Install]
WantedBy=multi-user.target