This offers a measure of protection against potential ympd vulnerabilities. See
https://www.freedesktop.org/software/systemd/man/systemd.exec.html for
documentation.
Requires=network.target local-fs.target
[Service]
+User=ympd
+DynamicUser=yes
+MountAPIVFS=yes
+RemoveIPC=yes
+CapabilityBoundingSet=
+LockPersonality=yes
+PrivateUsers=yes
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectSystem=strict
+NoNewPrivileges=yes
+MemoryDenyWriteExecute=yes
+RestrictRealtime=yes
+RestrictNamespaces=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+
Environment=MPD_HOST=localhost
Environment=MPD_PORT=6600
Environment=MPD_PASSWORD=