[Unit]
StartLimitIntervalSec=0

[Service]
User={{ haproxy.user }}
Group={{ haproxy.group }}

Restart=on-failure
RestartSec=10

Environment=
Environment="CONFIG=/etc/haproxy/haproxy.cfg" "PIDFILE=/run/haproxy/haproxy.pid"

ProtectHome=true
ProtectSystem=strict
PrivateTmp=yes
PrivateDevices=yes
RuntimeDirectory=haproxy

NoNewPrivileges=true
RestrictSUIDSGID=yes
MemoryDenyWriteExecute=yes
SystemCallFilter=~@cpu-emulation @keyring @module @obsolete @raw-io
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
RestrictNamespaces=yes
LockPersonality=yes