[Unit]
Description=OpenBSD Secure Shell server (deploy chroot)
After=network.target auditd.service
ConditionPathExists=!/chroot/deploy/etc/ssh/sshd_not_to_be_run
PartOf=chr-deploy.target

[Service]
RootDirectory=/chroot/deploy
RootDirectoryStartOnly=no

EnvironmentFile=-/chroot/deploy/etc/default/ssh
ExecStartPre=/usr/sbin/sshd-deploy -t
ExecStart=/usr/sbin/sshd-deploy -D $SSHD_OPTS
ExecReload=/usr/sbin/sshd-deploy -t
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartPreventExitStatus=255
Type=notify
RuntimeDirectory=sshd-deploy
RuntimeDirectoryMode=0755

MountAPIVFS=true
NoNewPrivileges=true
PrivateDevices=true
DevicePolicy=closed
ProtectSystem=full
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectProc=invisible
ProcSubset=pid
ProtectControlGroups=true
ProtectClock=true
#RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
#CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_DAC_READ_SEARCH
#RestrictNamespaces=uts ipc pid user cgroup
#RestrictNamespaces=yes
#RestrictRealtime=yes
#RestrictSUIDSGID=yes
#MemoryDenyWriteExecute=yes
#LockPersonality=yes
ReadOnlyPaths=/bin /sbin /lib /lib64 /usr /boot /etc
ReadOnlyPaths=/chroot/deploy/bin /chroot/deploy/sbin /chroot/deploy/lib /chroot/deploy/lib64 /chroot/deploy/usr /chroot/deploy/etc
InaccessiblePaths=/chroot/deploy/boot /chroot/deploy/sys

# run
BindPaths=/chroot/deploy/run:/run:norbind
# log, systemd notify
BindPaths=/run/systemd/notify:/run/systemd/notify:norbind /run/systemd/journal/dev-log:/run/systemd/journal/dev-log:norbind
# mysql (root)
BindPaths=-/run/mysqld:/run/mysqld:norbind


[Install]
#WantedBy=multi-user.target
WantedBy=chr-deploy.target
Alias=sshd-deploy.service