[Unit]
Description=Caddy OPNsense Blocker
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
User=blocker
Group=blocker
SupplementaryGroups=caddy
WorkingDirectory=/var/lib/caddy-opnsense-blocker
ExecStart=/usr/local/bin/caddy-opnsense-blocker -config /etc/caddy-opnsense-blocker/config.yaml
Restart=always
RestartSec=5s
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
RestrictSUIDSGID=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
LockPersonality=true
MemoryDenyWriteExecute=true
SystemCallArchitectures=native
ReadWritePaths=/var/lib/caddy-opnsense-blocker
ReadOnlyPaths=/etc/caddy-opnsense-blocker /var/log/caddy

[Install]
WantedBy=multi-user.target