[Unit]
Description=KMS Emulator

[Service]
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources
SystemCallArchitectures=native
RestrictAddressFamilies=AF_INET AF_INET6
RestrictNamespaces=true
NoNewPrivileges=true
LockPersonality=true
RestrictRealtime=true
MemoryDenyWriteExecute=true
ProtectHome=true
ProtectSystem=strict
PrivateDevices=true
PrivateUsers=true
ProtectClock=true
ProtectProc=invisible
ProcSubset=pid
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectControlGroups=true
DevicePolicy=closed
DynamicUser=true
Type=forking
ExecStart=/usr/bin/vlmcsd

[Install]
WantedBy=multi-user.target