[Unit]
Description=Update sbuild unshare chroot tarballs
ConditionACPower=true
Wants=network-online.target

[Service]
Type=oneshot
ExecStart=%h/.local/lib/sbuild/update-chroots.sh
LimitNOFILE=131072
IOSchedulingClass=idle
Nice=19

CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_CHOWN
IPAddressDeny=any
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateTmp=true
PrivateDevices=true
PrivateNetwork=true
ProtectClock=true
ProtectControlGroups=true
ProtectHostname=true
RestrictAddressFamilies=AF_UNIX
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
SystemCallArchitectures=native
SystemCallFilter=@system-service @chown