[Unit]
Description=Vector
After=network.target

[Service]
User=vector
Group=vector

ExecStartPre=/usr/bin/vector validate --config /etc/vector/config.toml
ExecStart=/usr/bin/vector --config /etc/vector/config.toml
ExecReload=/usr/bin/vector validate --config /etc/vector/config.toml
ExecReload=/bin/kill -HUP $MAINPID
Restart=no

# capabilities
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE

# sandboxing
ProtectHostname=yes
ProtectClock=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes
ProtectSystem=strict
ProtectHome=yes
ProtectControlGroups=yes
PrivateTmp=yes
PrivateDevices=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
LockPersonality=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
NoNewPrivileges=yes
RemoveIPC=yes
RestrictNamespaces=yes

WorkingDirectory=/var/lib/vector
StateDirectory=vector
StateDirectoryMode=0750

# syscall filtering
SystemCallFilter=@system-service @debug
SystemCallArchitectures=native

# process properties
UMask=077

[Install]
WantedBy=multi-user.target