File nikau-client@.service of Package nikau

[Unit]
Description=nikau KVM client

[Service]
Type=simple
ProtectSystem=strict
ProtectHome=read-only
ProtectClock=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes
ProtectControlGroups=yes
RestrictNamespaces=yes
LockPersonality=yes
# PrivateTmp breaks the clipboard
PrivateTmp=no
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
MemoryDenyWriteExecute=yes
SystemCallFilter=@system-service
SystemCallErrorNumber=EPERM
DeviceAllow=/dev/uinput rw
EnvironmentFile=/run/user/%i/nikau_client_environment
ExecStart=/usr/bin/nikau client ${NIKAU_SERVER}