[Unit]
Description=tlstunnel reverse proxy
Documentation=https://sr.ht/~emersion/tlstunnel
After=network.target

[Service]
User=tlstunnel
ExecStart=/usr/bin/tlstunnel
ExecReload=kill -HUP $MAINPID
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512

# Hardening options
PrivateTmp=true
PrivateDevices=true
ProtectHome=true
ProtectSystem=strict
ReadWritePaths=/var/lib/tlstunnel
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
NoNewPrivileges=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
LockPersonality=true

[Install]
WantedBy=multi-user.target