[Service]
ProtectHome=true
ReadOnlyPaths=/
ReadWritePaths=/var/lib/alloy
NoNewPrivileges=true