plenums_invite/plenums_invite.service

[Unit]
Description=Send invitation to Hackspace's Announce Discourse

[Service]
Type=oneshot
ExecStart=/opt/plenums_invite/invite.py -c ${CREDENTIALS_DIRECTORY}/plenums_invite_conf

WorkingDirectory=/opt/plenums_invite
LoadCredential=plenums_invite_conf:/opt/plenums_invite/invite.conf

UMask=077
DynamicUser=yes

PrivateDevices=yes
PrivateUsers=yes
PrivateTmp=yes

ProtectSystem=strict
ProtectHome=yes
ProtectClock=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectControlGroups=yes
ProtectKernelLogs=yes
ProtectProc=invisible
ProcSubset=pid
ProtectHostname=yes

ReadOnlyDirectories=/

NoNewPrivileges=true
CapabilityBoundingSet=
MemoryDenyWriteExecute=true
RestrictRealtime=true
RestrictNamespaces=true
SystemCallArchitectures=native
LockPersonality=yes
SystemCallFilter=~@clock @debug @module @mount @raw-io @reboot @swap @privileged @resources @cpu-emulation @obsolete
RestrictAddressFamilies=AF_INET AF_INET6