[Unit]
Description=Lifeboat backup for %I
AssertPathExists=/srv/backup/lifeboat/%i

[Service]
User=lifeboat
Group=lifeboat
Type=oneshot
ExecStart=/usr/bin/lifeboat %i run-report

AmbientCapabilities=CAP_DAC_READ_SEARCH
CapabilityBoundingSet=CAP_DAC_READ_SEARCH

DevicePolicy=closed
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=read-only
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectProc=invisible
ProtectSystem=strict
RemoveIPC=yes
RestrictAddressFamilies=AF_INET AF_INET6
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallFilter=@system-service

ReadWritePaths=/srv/backup/lifeboat

CPUSchedulingPolicy=batch
IOSchedulingClass=idle
IOSchedulingPriority=7
Nice=19