@@ -0,0 +1,57 @@
+# tested with systemd=252.31-1~deb12u1+rpi1 on raspberry pi os 12/bookworm
+# 1. copy to ~/.config/systemd/user/systemctl-mqtt.service
+# 2. edit parameters in ExecStart
+# 3. systemctl --user daemon-reload
+# 4. systemctl --user restart systemctl-mqtt.service
+# 5. sudo loginctl enable-linger $USER
+# 6. systemctl --user enable systemctl-mqtt.service
+# > Failed to update dynamic user credentials: Permission denied
+# > Failed at step CAPABILITIES spawning …: Operation not permitted
+# > Failed at step CAPABILITIES spawning …: Operation not permitted
+# > Failed at step CAPABILITIES spawning …: Operation not permitted
+# > Failed at step CAPABILITIES spawning …: Operation not permitted
+# > Failed at step CAPABILITIES spawning …: Operation not permitted
+RestrictNamespaces=~user pid net uts mnt ipc cgroup
+# > ProtectHostname=yes is configured, but UTS namespace setup is prohibited
+# . (container manager?), ignoring namespace setup.
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK
+# ineffective?
+# ineffective
+SystemCallFilter=~@clock @swap @resources @reboot @raw-io @privileged \
+ @obsolete @mount @module @debug @cpu-emulation
+# ineffective
+ExecStart=%h/.local/bin/systemctl-mqtt --mqtt-host localhost --log-level debug