diff options
Diffstat (limited to 'etc/systemd/lifeboat@.service')
-rw-r--r-- | etc/systemd/lifeboat@.service | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/etc/systemd/lifeboat@.service b/etc/systemd/lifeboat@.service new file mode 100644 index 0000000..632669f --- /dev/null +++ b/etc/systemd/lifeboat@.service @@ -0,0 +1,41 @@ +[Unit] +Description=Lifeboat backup for %I +AssertPathExists=/srv/backup/lifeboat/%i + +[Service] +User=lifeboat +Group=lifeboat +Type=oneshot +ExecStart=/usr/bin/lifeboat %i run-report + +AmbientCapabilities=CAP_DAC_READ_SEARCH +CapabilityBoundingSet=CAP_DAC_READ_SEARCH + +DevicePolicy=closed +LockPersonality=yes +MemoryDenyWriteExecute=yes +NoNewPrivileges=yes +PrivateDevices=yes +PrivateTmp=yes +ProtectClock=yes +ProtectControlGroups=yes +ProtectHome=read-only +ProtectHostname=yes +ProtectKernelLogs=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +ProtectProc=invisible +ProtectSystem=strict +RemoveIPC=yes +RestrictAddressFamilies=AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +SystemCallFilter=@system-service + +ReadWritePaths=/srv/backup/lifeboat + +CPUSchedulingPolicy=batch +IOSchedulingClass=idle +IOSchedulingPriority=7 +Nice=19 |