reseed-tools/etc/systemd/system/reseed.service

[Unit]
Description=I2P reseed service
After=network.target
StartLimitIntervalSec=0
Requires=i2p.service

[Service]
RestrictAddressFamilies=AF_INET AF_INET6
PrivateTmp=yes
DeviceAllow=
PrivateDevices=true
PrivateMounts=true
ProtectClock=true
ProtectControlGroups=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectProc=noaccess
ProtectSystem=true
ProtectHome=true
RestrictSUIDSGID=true
SystemCallArchitectures=native
SystemCallFilter=~@clock
SystemCallFilter=~@debug
SystemCallFilter=~@module
SystemCallFilter=~@mount
SystemCallFilter=~@raw-io
SystemCallFilter=~@reboot
SystemCallFilter=~@swap
SystemCallFilter=~@privileged
SystemCallFilter=~@cpu-emulation
SystemCallFilter=~@obsolete
RestrictNamespaces=true
RestrictRealtime=true
LockPersonality=true
MemoryDenyWriteExecute=true
RemoveIPC=true
UMask=600
ProtectHostname=true
ProcSubset=pid
NoNewPrivileges=true
CapabilityBoundingSet=

User=i2psvc
WorkingDirectory=/var/lib/i2p/i2p-config/reseed
ExecStart=/usr/bin/reseed-tools reseed --yes=true --netdb=/var/lib/i2p/i2p-config/netDb
Restart=always
RestartSec=10
RuntimeMaxSec=43200

[Install]
WantedBy=multi-user.target