File mihomo.service of Package mihomo

[Unit]
Description=Mihomo daemon
After=network.target NetworkManager.service systemd-networkd.service iwd.service

[Service]
Type=simple
DynamicUser=yes
Restart=on-failure
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW CAP_NET_BIND_SERVICE
RestartSec=5
StateDirectory=mihomo
StateDirectoryMode=0700
ExecStartPre=/usr/lib64/mihomo/start
ExecStart=/usr/bin/mihomo -d "$STATE_DIRECTORY"
LoadCredential=config.yaml:/etc/mihomo/config.yaml
ProtectSystem=strict
RemoveIPC=yes
NoNewPrivileges=yes
ProtectClock=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
PrivateMounts=yes
SystemCallArchitectures=native
MemoryDenyWriteExecute=yes
RestrictNamespaces=true
ProtectHostname=yes
RestrictSUIDSGID=yes
LockPersonality=yes
ProtectKernelTunables=yes
ProtectControlGroups=yes
RestrictRealtime=yes
PrivateTmp=disconnected
ProtectHome=yes
ProtectProc=invisible
ProcSubset=pid
UMask=077

[Install]
WantedBy=multi-user.target