# echo@.service
[Unit] 
Description=hackme hard
CollectMode=inactive-or-failed

[Service] 
Type=oneshot
TimeoutStartSec=120
ExecStart=sh -c '/srv/web226/rotexercise/hackme_hard && echo lol'
WorkingDirectory=/srv/web226/rotexercise
StandardInput=socket
StandardOutput=socket
StandardError=socket
#User=nobody
#Group=nogroup
NoNewPrivileges=true
DynamicUser=yes
PrivateUsers=true
LimitCPU=30
ProtectSystem=strict
ProtectHome=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectProc=noaccess
RestrictNamespaces=true
RestrictAddressFamilies=none
RestrictRealtime=true
#InaccessiblePaths=/
PrivateDevices=true
RestrictSUIDSGID=true
PrivateTmp=true
CapabilityBoundingSet=
SystemCallFilter=@system-service
SystemCallArchitectures=native
UMask=777
ProtectHostname=true
PrivateNetwork=true
RemoveIPC=true
TasksMax=10
LockPersonality=true
MemoryDenyWriteExecute=true
ProtectControlGroups=true
ProcSubset=pid
DeviceAllow=