Webserver inperken listing:
[Service] PrivateDevices=true ProtectControlGroups=true ProtectHome=true ProtectKernelLogs=true ProtectKernelModules=true ProtectKernelTunables=true ProtectSystem=strict ReadWritePaths=/var/lib/caddy /var/log/caddy RestrictSUIDSGID=true CapabilityBoundingSet=CAP_NET_BIND_SERVICE AmbientCapabilities=CAP_NET_BIND_SERVICE NoNewPrivileges=true