[Unit]
Description=Tinyproxy Bridge host-side (deploy chroot)
# Join the network and mount namespace of your existing sshd service
#After=tinyproxy.service
PartOf=chr-deploy.target

[Service]
RootDirectory=/chroot/deploy
RootDirectoryStartOnly=no

RuntimeDirectory=proxy
#RuntimeDirectoryPreserve=yes

ExecStartPre=-/usr/bin/rm -f /run/proxy/proxy.sock
ExecStart=/usr/bin/socat UNIX-LISTEN:/run/proxy/proxy.sock,fork,reuseaddr,mode=666 TCP:127.0.0.1:8888
Restart=always
SuccessExitStatus=143

#User=nobody
#Group=nogroup
DynamicUser=yes

#PrivateTmp=no

MountAPIVFS=true
NoNewPrivileges=true
PrivateDevices=true
DevicePolicy=closed
ProtectSystem=full
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectProc=invisible
ProcSubset=pid
ProtectControlGroups=true
ProtectClock=true
#RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
#CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_DAC_READ_SEARCH
#RestrictNamespaces=uts ipc pid user cgroup
#RestrictNamespaces=yes
#RestrictRealtime=yes
#RestrictSUIDSGID=yes
#MemoryDenyWriteExecute=yes
#LockPersonality=yes
ReadOnlyPaths=/bin /sbin /lib /lib64 /usr /boot /etc
ReadOnlyPaths=/chroot/deploy
InaccessiblePaths=/chroot/deploy/boot /chroot/deploy/sys

# run
#BindPaths=/chroot/deploy/run:/run:norbind
# log, systemd notify
BindPaths=/run/systemd/notify:/run/systemd/notify:norbind /run/systemd/journal/dev-log:/run/systemd/journal/dev-log:norbind

[Install]
WantedBy=chr-deploy.target