configpolicy/roles/vmhost/files/vm-autostart.service

[Unit]
Description=Start virtual machines
After=libvirt.service
After=network-online.target
Wants=network-online.target
RequiresMountsFor=/var/lib/libvirt/images

[Service]
Type=oneshot
RemainAfterExit=yes
Environment=LIBVIRT_DEFAULT_URI=qemu:///system
ExecStart=/usr/local/libexec/vm-autostart.sh
Restart=on-failure

CapabilityBoundingSet=
DeviceAllow=
DevicePolicy=closed
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateDevices=yes
PrivateUsers=yes
PrivateTmp=yes
ProcSubset=pid
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectProc=invisible
ProtectSystem=strict
RestrictAddressFamilies=
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallArchitectures=native
UMask=0027

[Install]
WantedBy=multi-user.target