[Service]

# Hardening
NoNewPrivileges=yes
ProtectSystem=strict
ReadWriteDirectories=/var/lib/munin-node/plugin-state
ReadWriteDirectories=/var/log/munin
RuntimeDirectory=munin
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
CapabilityBoundingSet=CAP_SETUID CAP_SETGID