[Unit]
Description=Switch on embedded LCD

[Service]
Type=oneshot
RemainAfterExit=no
DynamicUser=true
# tailored to Debian: adapt for other Linux flavours! RW access to /dev/ttyACM0 is required
Group=dialout

ExecStart=/usr/bin/asterctl --on

# lock down service
CapabilityBoundingSet=
LockPersonality=true
RestrictNamespaces=true
ProtectHome=true
ProtectSystem=strict
NoNewPrivileges=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
MemoryDenyWriteExecute=true
RestrictSUIDSGID=true
KeyringMode=private
ProtectClock=true
ProtectProc=invisible
ProcSubset=pid
RestrictRealtime=true
PrivateNetwork=true
PrivateTmp=true
PrivateUsers=true
ProtectHostname=true
RestrictAddressFamilies=none
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources
SystemCallErrorNumber=EPERM
UMask=0177

# that's all we need access to
DeviceAllow=/dev/ttyACM0 rw