[Unit]
Description=OpenBSD Secure Shell server (deploy chroot)
After=network.target auditd.service
ConditionPathExists=!/chroot/deploy/etc/ssh/sshd_not_to_be_run

[Service]
RootDirectory=/chroot/deploy
RootDirectoryStartOnly=no

EnvironmentFile=-/chroot/deploy/etc/default/ssh
ExecStartPre=/usr/sbin/sshd-deploy -t
ExecStart=/usr/sbin/sshd-deploy -D $SSHD_OPTS
ExecReload=/usr/sbin/sshd-deploy -t
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartPreventExitStatus=255
Type=notify
RuntimeDirectory=sshd-deploy
RuntimeDirectoryMode=0755

NoNewPrivileges=true
#PrivateDevices=true
#ProtectSystem=full
#ReadOnlyPaths=/bin /sbin /lib /lib64 /usr /boot /etc
#ReadOnlyPaths=/chroot/deploy/bin /chroot/deploy/sbin /chroot/deploy/lib /chroot/deploy/lib64 /chroot/deploy/usr /chroot/deploy/etc
#InaccessiblePaths=/chroot/deploy/boot

[Install]
WantedBy=multi-user.target
Alias=sshd-deploy.service