diff options
| author | Ryan Kavanagh <rak@rak.ac> | 2025-12-20 11:39:06 -0500 |
|---|---|---|
| committer | Ryan Kavanagh <rak@rak.ac> | 2025-12-20 11:39:06 -0500 |
| commit | 0c91970f8870274a3d5cd3564afbf99049afa8e6 (patch) | |
| tree | 0e3a57dc1b7e240a0e167a010d0a5711df204c17 /dot_config/systemd/user/sbuild-update.service | |
| parent | ssh certs (diff) | |
| parent | sbuild update timer (diff) | |
Diffstat (limited to 'dot_config/systemd/user/sbuild-update.service')
| -rw-r--r-- | dot_config/systemd/user/sbuild-update.service | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/dot_config/systemd/user/sbuild-update.service b/dot_config/systemd/user/sbuild-update.service new file mode 100644 index 0000000..82c6bb3 --- /dev/null +++ b/dot_config/systemd/user/sbuild-update.service @@ -0,0 +1,29 @@ +[Unit] +Description=Update sbuild unshare chroot tarballs +ConditionACPower=true +Wants=network-online.target + +[Service] +Type=oneshot +ExecStart=%h/.local/lib/sbuild/update-chroots.sh +LimitNOFILE=131072 +IOSchedulingClass=idle +Nice=19 + +CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_CHOWN +IPAddressDeny=any +LockPersonality=true +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PrivateTmp=true +PrivateDevices=true +PrivateNetwork=true +ProtectClock=true +ProtectControlGroups=true +ProtectHostname=true +RestrictAddressFamilies=AF_UNIX +RestrictNamespaces=true +RestrictRealtime=true +RestrictSUIDSGID=true +SystemCallArchitectures=native +SystemCallFilter=@system-service @chown |