From df77c598d9eabe6546a67774a2f3a106316c3c81 Mon Sep 17 00:00:00 2001
From: root <root@kraut.space>
Date: Fri, 4 Nov 2022 01:02:09 +0100
Subject: [PATCH] enabled DynamicUser isolation with LoadCredential workaround

---
 plenums_invite.service | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/plenums_invite.service b/plenums_invite.service
index d2d42ad..6e1e4b9 100644
--- a/plenums_invite.service
+++ b/plenums_invite.service
@@ -3,12 +3,13 @@ Description=Send invitation to Hackspace's Announce Discourse
 
 [Service]
 Type=oneshot
-ExecStart=/opt/plenums_invite/invite.py
+ExecStart=/opt/plenums_invite/invite.py -c ${CREDENTIALS_DIRECTORY}/plenums_invite_conf
 
 WorkingDirectory=/opt/plenums_invite
+LoadCredential=plenums_invite_conf:/opt/plenums_invite/invite.conf
 
 UMask=077
-#DynamicUser=yes
+DynamicUser=yes
 
 PrivateDevices=yes
 PrivateUsers=yes
@@ -34,4 +35,5 @@ RestrictRealtime=true
 RestrictNamespaces=true
 SystemCallArchitectures=native
 LockPersonality=yes
+SystemCallFilter=~@clock @debug @module @mount @raw-io @reboot @swap @privileged @resources @cpu-emulation @obsolete
 RestrictAddressFamilies=AF_INET AF_INET6