[Unit]
Description=Create SSH connection to %I
Requires=network-online.target
After=network-online.target
StopWhenUnneeded=yes

[Service]
Type=notify
NotifyAccess=all
DynamicUser=yes
User=nnss-ssh-%i

LoadCredential=ssh:/etc/nnss/%i

# Note: App service running in the namespace should have Restart=always,
# otherwise, both the ssh connection and the app will be stopped as this unit
# has StopWhenUnneeded set
# https://enotty.pipebreaker.pl/posts/2024/01/how-systemd-exponential-restart-delay-works/
Restart=on-failure
RestartSec=5min
RestartSteps=6
RestartMaxDelaySec=24h

RuntimeDirectory=nnss-%i
RuntimeDirectoryMode=0750
StateDirectory=nnss-%i
ExecStart=ssh -F /usr/lib/nnss/ssh_config default

NoNewPrivileges=yes
CapabilityBoundingSet=
RestrictNamespaces=true
SystemCallFilter=@system-service