[Unit]
Description=Send kernel messages from md via ntfy
Wants=network-online.target
After=network-online.target

[Service]
Type=exec
EnvironmentFile=-/etc/sysconfig/journal2ntfy
ExecStart=/usr/local/bin/journal2ntfy
DevicePolicy=closed
MemoryDenyWriteExecute=yes
PrivateDevices=yes
PrivateTmp=yes
PrivateUsers=yes
ProtectClock=yes
ProtectHome=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectProc=invisible
ProtectSystem=strict
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources
UMask=0077

[Install]
WantedBy=multi-user.target