PrivateDevices=yes
PrivateNetwork=yes
PrivateTmp=yes
+ProtectProc=invisible
+ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=strict
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=yes
RestrictRealtime=yes
+RestrictSUIDSGID=yes
SystemCallArchitectures=native
User=systemd-journal-remote
-WatchdogSec=3min
+@SERVICE_WATCHDOG@
# If there are many split up journal files we need a lot of fds to access them
# all in parallel.