[Unit] Description=Send invitation to Hackspace's Announce Discourse [Service] Type=oneshot ExecStart=/opt/plenums_invite/invite.py -c ${CREDENTIALS_DIRECTORY}/plenums_invite_conf WorkingDirectory=/opt/plenums_invite LoadCredential=plenums_invite_conf:/opt/plenums_invite/invite.conf UMask=077 DynamicUser=yes PrivateDevices=yes PrivateUsers=yes PrivateTmp=yes ProtectSystem=strict ProtectHome=yes ProtectClock=yes ProtectKernelModules=yes ProtectKernelTunables=yes ProtectControlGroups=yes ProtectKernelLogs=yes ProtectProc=invisible ProcSubset=pid ProtectHostname=yes ReadOnlyDirectories=/ NoNewPrivileges=true CapabilityBoundingSet= MemoryDenyWriteExecute=true RestrictRealtime=true RestrictNamespaces=true SystemCallArchitectures=native LockPersonality=yes SystemCallFilter=~@clock @debug @module @mount @raw-io @reboot @swap @privileged @resources @cpu-emulation @obsolete RestrictAddressFamilies=AF_INET AF_INET6