[Service]
User=nobody
Group=nogroup

Environment=
Environment="CONFIG=/etc/haproxy/haproxy.cfg" "PIDFILE=/run/haproxy/haproxy.pid"

ProtectHome=true
ProtectSystem=true
PrivateTmp=yes
PrivateDevices=yes
RuntimeDirectory=haproxy

NoNewPrivileges=true
RestrictSUIDSGID=yes
MemoryDenyWriteExecute=yes
SystemCallFilter=~@cpu-emulation @keyring @module @obsolete @raw-io
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
RestrictNamespaces=yes
LockPersonality=yes