[Unit]
After=nftables.service

[Service]
ExecStartPre=
ExecStart=
ExecStart=/usr/bin/fail2ban-server -xf --logtarget=sysout start

# Need explicit rights to read logs as we don't grant CAP_DAC_READ_SEARCH
SupplementaryGroups=adm

# Hardening
NoNewPrivileges=yes
ProtectSystem=strict
RuntimeDirectory=fail2ban
PrivateDevices=yes
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictAddressFamilies=AF_UNIX AF_NETLINK
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW