#
# Fedora Pflaster Installer 
# Copyright Daniel Mehrmann (Akusari)
#

[Unit]
Description=Update and build Fedora Pflaster installer
Documentation=https://codeberg.org/kaputtix/pflaster
OnFailure=failed@%n.service

[Service]
Type=oneshot
User=builduser
Group=buildusers
ExecStart=/usr/local/src/git/pflaster_update.sh --nightly
IOSchedulingClass=idle
CPUSchedulingPolicy=idle

NoNewPrivileges=yes
PrivateTmp=yes
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
MemoryDenyWriteExecute=yes
LockPersonality=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectSystem=strict
ReadWritePaths=/usr/local/src/git/pflaster
ReadWritePaths=/var/local/pool/distribution/repo/fedora/pflaster

CapabilityBoundingSet=~CAP_LINUX_IMMUTABLE CAP_SYS_CHROOT CAP_BLOCK_SUSPEND CAP_LEASE
CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_PACCT CAP_SYS_PTRACE CAP_SYS_RAWIO CAP_SYS_TIME CAP_SYS_TTY_CONFIG
CapabilityBoundingSet=~CAP_WAKE_ALARM  CAP_MAC_ADMIN CAP_MAC_OVERRIDE
CapabilityBoundingSet=~CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_NET_ADMIN
CapabilityBoundingSet=~CAP_CHOWN CAP_FSETID CAP_SETFCAP
CapabilityBoundingSet=~CAP_DAC_READ_SEARCH CAP_FOWNER CAP_IPC_OWNER