[Unit] Description=Update Conservancy website checkout [Service] Type=oneshot User=www WorkingDirectory=/var/www/website ExecStart=/var/www/website/systemd/conservancy-www-update.sh SystemCallFilter=~@clock @cpu-emulation @debug @module @mount @obsolete CapabilityBoundingSet= NoNewPrivileges=true PrivateDevices=true PrivateNetwork=false PrivateTmp=true PrivateUsers=false ProtectControlGroups=true ProtectHome=true ProtectKernelModules=true ProtectKernelTunables=true ProtectSystem=strict ReadWritePaths=/var/www/website