#/lib/systemd/system/rpki-client.service 

[Unit]
Description=OpenBSD RPKI validator
Documentation=man:rpki-client(8)

[Service]
EnvironmentFile=-/etc/default/rpki-client
#ExecStart=/usr/sbin/rpki-client $OPTIONS
ExecStart=/usr/sbin/rpki-client -v -j -t /etc/tals/testbed.tal
Type=oneshot
User=_rpki-client
CacheDirectory=rpki-client
StateDirectory=rpki-client
PrivateDevices=yes
PrivateTmp=yes
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=strict
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
CapabilityBoundingSet=
SystemCallArchitectures=native
SystemCallErrorNumber=EPERM
SystemCallFilter=@system-service