ArchiSteamFarm/ArchiSteamFarm/overlay/generic-netf/ArchiSteamFarm@.service

[Install]
WantedBy=multi-user.target

[Service]
EnvironmentFile=-/etc/asf/%i
ExecStart=mono /home/%i/ArchiSteamFarm/ArchiSteamFarm.exe --no-restart --process-required --service --system-required
Restart=on-success
RestartSec=5s
SyslogIdentifier=asf-%i
User=%i

# ASF security hardening
LockPersonality=yes
PrivateDevices=yes
PrivateMounts=yes
PrivateUsers=yes
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=read-only
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=full
ReadWritePaths=/home/%i/ArchiSteamFarm /tmp
RemoveIPC=yes
RestrictAddressFamilies=AF_INET AF_INET6
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes

# Not tested
#PrivateIPC=yes

# This list is incomplete, will likely crash your ASF, not to mention only a total madman would enable that
#SystemCallFilter=accept4 access arch_prctl bind chdir chmod clone close connect epoll_create1 epoll_ctl epoll_wait fadvise64 fcntl flock fstat fsync ftruncate getcwd getdents64 getpeername getrusage getsockname getsockopt inotify_add_watch inotify_init ioctl listen lseek lstat madvise mkdir mknod mprotect openat pipe pipe2 poll pread64 read readlink recvfrom recvmsg rename rmdir rt_sigaction rt_sigprocmask sched_get_priority_max sched_get_priority_min sched_getparam sched_getscheduler sched_setaffinity sched_setscheduler sendmmsg sendmsg sendto setsockopt shutdown sigaltstack socket stat statfs sysinfo uname unlink utimensat write

[Unit]
After=network.target network-online.target
Description=ArchiSteamFarm Service (on %I)
Documentation=https://github.com/JustArchiNET/ArchiSteamFarm/wiki
Wants=network.target network-online.target