[Unit]
Description=Create SSH connection to %I
After=network.target
StopWhenUnneeded=yes

[Service]
Type=notify
NotifyAccess=all
DynamicUser=yes

LoadCredential=ssh:/etc/nnss/%i

RuntimeDirectory=nnss-%i
StateDirectory=nnss-%i
ExecStart=ssh -F /usr/lib/nnss/ssh_config default

NoNewPrivileges=yes
CapabilityBoundingSet=
RestrictNamespaces=true
SystemCallFilter=@system-service