[Unit]
Description=yggdrasil
Wants=network-online.target
Wants=yggdrasil-default-config.service
After=network-online.target
After=yggdrasil-default-config.service

[Service]
ProtectHome=true
ProtectSystem=true
SyslogIdentifier=yggdrasil
ExecStartPre=+-/sbin/modprobe tun
ExecStart=/usr/bin/yggdrasil -useconffile /etc/yggdrasil.conf
ExecReload=/bin/kill -HUP $MAINPID
Restart=always
TimeoutStopSec=5
Group=yggdrasil
User=yggdrasil-dyn
DynamicUser=true
ProtectSystem=strict
NoNewPrivileges=true
ReadWritePaths=/var/run/yggdrasil /run/yggdrasil

# make sure /var/run/yggdrasil/ is created writable for the user.
RuntimeDirectory=yggdrasil
# the small list of admin capabilities we need to do our job
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target