ExecStart=-/usr/bin/rsync --daemon --config=<%= @fname_real_rsync %>
StandardInput=socket
StandardError=journal
-CapabilityBoundingSet=CAP_SYS_CHROOT CAP_SETUID CAP_SETGID
+CapabilityBoundingSet=CAP_SYS_CHROOT CAP_SETUID CAP_SETGID CAP_DAC_READ_SEARCH
PrivateDevices=true
PrivateNetwork=true
ProtectHome=read-only