[Service]
ProtectSystem=strict
PrivateTmp=true
NoNewPrivileges=true
PrivateDevices=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
LockPersonality=true
MemoryDenyWriteExecute=true
SystemCallArchitectures=native
BindPaths=/var/spool/
BindPaths=/var/lib/
InaccessiblePaths=/var/www/