[Unit]
Description=The Onion Router

[Service]
ExecStartPre=/usr/bin/tor --verify-config -f /etc/tor/torrc
ExecStart=/usr/bin/tor -f /etc/tor/torrc --DataDirectory /var/lib/tor/data --User tor
ExecReload=/bin/kill -HUP $MAINPID
PIDFile=/run/tor.pid
KillSignal=SIGINT
TimeoutStopSec=32
LimitNOFILE=30000

# Hardening options:
CapabilityBoundingSet = CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE
PrivateTmp = yes
PrivateDevices = yes
ProtectHome = yes
ProtectSystem = full
NoNewPrivileges = yes

[Install]
WantedBy=multi-user.target