[Unit]
Description=Send invitation to Hackspace's Announce Discourse

[Service]
Type=oneshot
ExecStart=/opt/plenums_invite/invite.py

WorkingDirectory=/opt/plenums_invite

UMask=077
#DynamicUser=yes

PrivateDevices=yes
PrivateUsers=yes
PrivateTmp=yes

ProtectSystem=strict
ProtectHome=yes
ProtectClock=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectControlGroups=yes
ProtectKernelLogs=yes
ProtectProc=invisible
ProcSubset=pid
ProtectHostname=yes

ReadOnlyDirectories=/

NoNewPrivileges=true
CapabilityBoundingSet=
MemoryDenyWriteExecute=true
RestrictRealtime=true
RestrictNamespaces=true
SystemCallArchitectures=native
LockPersonality=yes
RestrictAddressFamilies=AF_INET AF_INET6