#---------------------------------------------------------------------------
# /usr/lib/systemd/system/geoip-updater.service - service unit
#
# Creation:     2023-04-10 hbfl
# Last Update:  $Id$
#
# Copyright (c) 2016-@@YEAR@@ the eisfair team, team(at)eisfair(dot)org
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#-----------------------------------------------------------------------

[Unit]
Description=GeoIP databases updater

[Service]
Type=oneshot

ExecStart=/usr/bin/geoipupdate

AmbientCapabilities=
CapabilityBoundingSet=
KeyringMode=private
LockPersonality=yes
MemoryDenyWriteExecute=yes
MountFlags=private
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
PrivateUsers=yes
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=strict
RemoveIPC=yes
RestrictAddressFamilies=AF_INET AF_INET6
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallArchitectures=native
SystemCallFilter=@basic-io @file-system @io-event @network-io @process @signal flock fsync madvise uname

ReadWritePaths=/var/lib/GeoIP
WorkingDirectory=/var/lib/GeoIP