[Unit]
StartLimitIntervalSec=0

[Service]
User=root
DynamicUser=true

Restart=on-failure
RestartSec=10

ProtectSystem=strict
PrivateUsers=true
NoNewPrivileges=yes

ReadWritePaths={{ transmission.root_dir }}
BindReadOnlyPaths=/usr /lib /lib64
TemporaryFileSystem=/:ro
Environment=TRANSMISSION_HOME={{ transmission.root_dir }}/.config

ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
MemoryDenyWriteExecute=yes
LockPersonality=yes
PrivateTmp=yes
PrivateDevices=yes