```
[Unit]
Description=Crowdsec Firewall Bouncer
PartOf=firewall.service
                                                                                                                                                                                                                   
[Service]
Environment="LOCALE_ARCHIVE=/nix/store/l59m1hy6yxy5n70hd71j4m3mgqlclyr6-glibc-locales-2.40-36/lib/locale/locale-archive"Environment="PATH=/nix/store/v533lhxv641z6brnb6pkx13rwspxbna9-cs-firewall-bouncer-0.0.31/bin:/nix/store/z93yj8gzlck4pqpf34dnvlfwdjway91d-ipset-7.22/bin:/nix/store/hk52s3rw8xf0dbrlbbvjgc4qp9hdmr3i-iptables-1.8.10/bin:/nix/store/i30v1bg57zqk3yi76gmcf0npgd737g2i-nftables-1.1.1/bin:/nix/store/6wgd8c9vq93mqxzc7jhkl86mv6qbc360-coreutils-9.5/bin:/nix/store/r99d2m4swgmrv9jvm4l9di40hvanq1aq-findutils-4.10.0/bin:/nix/store/vniy1y5n8g28c55y7788npwc4h09fh7c-gnugrep-3.11/bin:/nix/store/yq39xdwm4z0fhx7dsm8mlpgvcz3vbfg3-gnused-4.9/bin:/nix/store/bl5dgjbbr9y4wpdw6k959mkq4ig0jwyg-systemd-256.10/bin:/nix/store/v533lhxv641z6brnb6pkx13rwspxbna9-cs-firewall-bouncer-0.0.31/sbin:/nix/store/z93yj8gzlck4pqpf34dnvlfwdjway91d-ipset-7.22/sbin:/nix/store/hk52s3rw8xf0dbrlbbvjgc4qp9hdmr3i-iptables-1.8.10/sbin:/nix/store/i30v1bg57zqk3yi76gmcf0npgd737g2i-nftables-1.1.1/sbin:/nix/store/6wgd8c9vq93mqxzc7jhkl86mv6qbc360-coreutils-9.5/sbin:/nix/store/r99d2m4swgmrv9jvm4l9di40hvanq1aq-findutils-4.10.0/sbin:/nix/store/vniy1y5n8g28c55y7788npwc4h09fh7c-gnugrep-3.11/sbin:/nix/store
/yq39xdwm4z0fhx7dsm8mlpgvcz3vbfg3-gnused-4.9/sbin:/nix/store/bl5dgjbbr9y4wpdw6k959mkq4ig0jwyg-systemd-256.10/sbin"
Environment="TZDIR=/nix/store/78mhfhbhfhvx95hjv9hkjx8m0vadynjv-tzdata-2024b/share/zoneinfo"
CapabilityBoundingSet=CAP_NET_ADMIN
CapabilityBoundingSet=CAP_NET_RAW
ExecPaths=/nix/store
ExecStart=/nix/store/v533lhxv641z6brnb6pkx13rwspxbna9-cs-firewall-bouncer-0.0.31/bin/cs-firewall-bouncer -c /nix/store/jclmycjv2kfp68vs42wyczva79rmx779-crowdsec.yaml
ExecStartPost=/nix/store/6wgd8c9vq93mqxzc7jhkl86mv6qbc360-coreutils-9.5/bin/sleep 0.2
ExecStartPre=/nix/store/v533lhxv641z6brnb6pkx13rwspxbna9-cs-firewall-bouncer-0.0.31/bin/cs-firewall-bouncer -t -c /nix/store/jclmycjv2kfp68vs42wyczva79rmx779-crowdsec.yaml
LimitNOFILE=65536
LockPersonality=true
MemoryDenyWriteExecute=true
NoExecPaths=/
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProcSubset=pid
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectProc=invisible
ProtectSystem=strict
RemoveIPC=true
Restart=on-failure
RestartSec=10
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
SystemCallArchitectures=native
SystemCallErrorNumber=EPERM
SystemCallFilter=@system-service
SystemCallFilter=@network-io
Type=notify
                                                                                                                                                                                                                   
[Install]
WantedBy=multi-user.target
```