[Unit]
Description=Tinyproxy Bridge namespace-side (deploy chroot)
# Join the network and mount namespace of your existing sshd service
JoinsNamespaceOf=sshd-deploy.service
After=sshd-deploy.service tinyproxy-bridge-host-deploy.service
PartOf=chr-deploy.target

[Service]
RootDirectory=/chroot/deploy
RootDirectoryStartOnly=no

RuntimeDirectory=proxy
#RuntimeDirectoryPreserve=yes

ExecStart=/usr/bin/socat TCP-LISTEN:8888,fork,reuseaddr UNIX-CONNECT:/run/proxy/proxy.sock
Restart=always
SuccessExitStatus=143

#User=nobody
#Group=nogroup
DynamicUser=yes

#PrivateTmp=no

MountAPIVFS=true
NoNewPrivileges=true
PrivateDevices=true
DevicePolicy=closed
ProtectSystem=full
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectProc=invisible
ProcSubset=pid
ProtectControlGroups=true
ProtectClock=true
#RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
#CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_DAC_READ_SEARCH
#RestrictNamespaces=uts ipc pid user cgroup
#RestrictNamespaces=yes
#RestrictRealtime=yes
#RestrictSUIDSGID=yes
#MemoryDenyWriteExecute=yes
#LockPersonality=yes
ReadOnlyPaths=/bin /sbin /lib /lib64 /usr /boot /etc
ReadOnlyPaths=/chroot/deploy
InaccessiblePaths=/chroot/deploy/boot /chroot/deploy/sys

PrivateNetwork=yes

# run
#BindPaths=/chroot/deploy/run:/run:norbind
# log, systemd notify
BindPaths=/run/systemd/notify:/run/systemd/notify:norbind /run/systemd/journal/dev-log:/run/systemd/journal/dev-log:norbind


[Install]
WantedBy=chr-deploy.target