[Unit]
Description=Update he-ipv6 tunnel end point
After=network-online.target

[Service]
Type=oneshot
ExecStart=curl --silent "https://USERNAME:PASSWORD@ipv4.tunnelbroker.net/nic/update?hostname=582358"
NoNewPrivileges=yes                   # Prevent acquiring new privileges. Warning: breaks execution of SUID binaries
PermissionsStartOnly=true
PrivateDevices=yes                    # Prevent access to /dev
PrivateTmp=yes                        # Use dedicated /tmp
PrivateUsers=true
ProtectHome=yes                       # Hide user homes
ProtectKernelModules=yes              # Prevent loading or reading kernel modules
ProtectKernelTunables=yes             # Prevent altering kernel tunables
ProtectSystem=strict                  # strict or full, see docs

[Install]
WantedBy=network-online.target