[Service]
AmbientCapabilities=CAP_NET_BIND_SERVICE
NoNewPrivileges=yes