+<% if @runtime_max_sec -%>
+RuntimeMaxSec=<%= @runtime_max_sec %>
+<% end -%>
+<% if @runtime_directory -%>
+RuntimeDirectory=<%= @runtime_directory %>
+<% end -%>
+<% if @runtime_directory_mode -%>
+RuntimeDirectoryMode=<%= sprintf("0%o", @runtime_directory_mode) %>
+<% end -%>
+<% if @state_directory -%>
+StateDirectory=<%= @state_directory %>
+<% end -%>
+<% if @state_directory_mode -%>
+StateDirectoryMode=<%= sprintf("0%o", @state_directory_mode) %>
+<% end -%>
+<% if @cache_directory -%>
+CacheDirectory=<%= @cache_directory %>
+<% end -%>
+<% if @cache_directory_mode -%>
+CacheDirectoryMode=<%= sprintf("0%o", @cache_directory_mode) %>
+<% end -%>
+<% if @logs_directory -%>
+LogsDirectory=<%= @logs_directory %>
+<% end -%>
+<% if @logs_directory_mode -%>
+LogsDirectoryMode=<%= sprintf("0%o", @logs_directory_mode) %>
+<% end -%>
+<% if @configuration_directory -%>
+ConfigurationDirectory=<%= @configuration_directory %>
+<% end -%>
+<% if @configuration_directory_mode -%>
+ConfigurationDirectoryMode=<%= sprintf("0%o", @configuration_directory_mode) %>
+<% end -%>
+<% if @standard_input -%>
+StandardInput=<%= @standard_input %>
+<% end -%>
+<% if @standard_output -%>
+StandardOutput=<%= @standard_output %>
+<% end -%>
+<% if @standard_error -%>
+StandardError=<%= @standard_error %>
+<% end -%>
+<% if @protect_proc && node[:lsb][:release].to_f >= 22.04 -%>
+ProtectProc=<%= @protect_proc %>
+<% end -%>
+<% if @proc_subset && node[:lsb][:release].to_f >= 22.04 -%>
+ProcSubset=<%= @proc_subset %>
+<% end -%>
+<% if @bind_paths -%>
+BindPaths=<%= Array(@bind_paths).sort.uniq.join(" ") %>
+<% end -%>
+<% if @bind_read_only_paths -%>
+BindReadOnlyPaths=<%= Array(@bind_read_only_paths).sort.uniq.join(" ") %>
+<% end -%>
+<% if @no_new_privileges -%>
+NoNewPrivileges=<%= @no_new_privileges %>
+<% end -%>
+<% if @capability_bounding_set -%>
+CapabilityBoundingSet=<%= Array(@capability_bounding_set).sort.uniq.join(" ") %>
+<% end -%>
+<% if @ambient_capabilities -%>
+AmbientCapabilities=<%= Array(@ambient_capabilities).sort.uniq.join(" ") %>
+<% end -%>
+<% if @protect_system -%>
+ProtectSystem=<%= @protect_system %>
+<% end -%>
+<% if @protect_home -%>
+ProtectHome=<%= @protect_home %>
+<% end -%>
+<% if @read_write_paths -%>
+ReadWritePaths=<%= Array(@read_write_paths).sort.uniq.join(" ") %>
+<% end -%>
+<% if @read_only_paths -%>
+ReadOnlyPaths=<%= Array(@read_only_paths).sort.uniq.join(" ") %>
+<% end -%>
+<% if @inaccessible_paths -%>
+InaccessiblePaths=<%= Array(@inaccessible_paths).sort.uniq.join(" ") %>
+<% end -%>
+<% if @private_tmp -%>
+PrivateTmp=<%= @private_tmp %>
+<% end -%>
+<% if @private_devices -%>
+PrivateDevices=<%= @private_devices %>
+<% end -%>
+<% if @private_network -%>
+PrivateNetwork=<%= @private_network %>
+<% end -%>
+<% if @private_ipc && node[:lsb][:release].to_f >= 22.04 -%>
+PrivateIPC=<%= @private_ipc %>
+<% end -%>
+<% if @private_users -%>
+PrivateUsers=<%= @private_users %>
+<% end -%>
+<% if @protect_hostname -%>
+ProtectHostname=<%= @protect_hostname %>
+<% end -%>
+<% if @protect_clock -%>
+ProtectClock=<%= @protect_clock %>
+<% end -%>
+<% if @protect_kernel_tunables -%>
+ProtectKernelTunables=<%= @protect_kernel_tunables %>
+<% end -%>
+<% if @protect_kernel_modules -%>
+ProtectKernelModules=<%= @protect_kernel_modules %>
+<% end -%>
+<% if @protect_kernel_logs -%>
+ProtectKernelLogs=<%= @protect_kernel_logs %>
+<% end -%>
+<% if @protect_control_groups -%>
+ProtectControlGroups=<%= @protect_control_groups %>
+<% end -%>
+<% if @restrict_address_families -%>
+RestrictAddressFamilies=<%= Array(@restrict_address_families).sort.uniq.join(" ") %>
+<% end -%>
+<% if @restrict_namespaces -%>
+RestrictNamespaces=<%= Array(@restrict_namespaces).sort.uniq.join(" ") %>
+<% end -%>
+<% if @lock_personality -%>
+LockPersonality=<%= @lock_personality %>
+<% end -%>
+<% if @memory_deny_write_execute -%>
+MemoryDenyWriteExecute=<%= @memory_deny_write_execute %>
+<% end -%>
+<% if @restrict_realtime -%>
+RestrictRealtime=<%= @restrict_realtime %>
+<% end -%>
+<% if @restrict_suid_sgid -%>
+RestrictSUIDSGID=<%= @restrict_suid_sgid %>
+<% end -%>
+<% if @remove_ipc -%>
+RemoveIPC=<%= @remove_ipc %>
+<% end -%>
+<% if @system_call_filter -%>
+SystemCallFilter=<%= Array(@system_call_filter).join(" ") %>
+<% end -%>
+<% if @system_call_architectures -%>
+SystemCallArchitectures=<%= Array(@system_call_architectures).sort.uniq.join(" ") %>
+<% end -%>
+<% if @tasks_max -%>
+TasksMax=<%= @tasks_max %>
+<% end -%>
+<% if @success_exit_status -%>
+SuccessExitStatus=<%= Array(@success_exit_status).join(" ") %>
+<% end -%>