[Unit]
Description=Update he-ipv6 tunnel end point
After=network-online.target

[Service]
Type=oneshot
ExecStart=curl --silent "https://USERNAME:PASSWORD@ipv4.tunnelbroker.net/nic/update?hostname=801807"
# Prevent acquiring new privileges. Warning: breaks execution of SUID binaries
NoNewPrivileges=yes
PermissionsStartOnly=true
# Prevent access to /dev
PrivateDevices=yes
# Use dedicated /tmp
PrivateTmp=yes
PrivateUsers=true
# Hide user homes
ProtectHome=yes
# Prevent loading or reading kernel modules
ProtectKernelModules=yes
# Prevent altering kernel tunables
ProtectKernelTunables=yes
# strict or full, see docs
ProtectSystem=strict

[Install]
WantedBy=network-online.target