[Unit]
Description=Bacula File Daemon service
After=network.target

[Service]
Type=simple
StandardOutput=syslog
ExecStart=/usr/sbin/bacula-fd -f -c /etc/bacula/bacula-fd.conf

# Hardening
NoNewPrivileges=yes
ProtectHome=read-only
ProtectSystem=strict
ReadWriteDirectories=/var/lib/bacula
RuntimeDirectory=bacula
PrivateTmp=yes
PrivateDevices=yes
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
CapabilityBoundingSet=CAP_DAC_READ_SEARCH

[Install]
WantedBy=multi-user.target