# Run the website update script (see also: conservancy-www-update.timer).

[Unit]
Description=Update Conservancy website checkout

[Service]
Type=oneshot
User=www-data
WorkingDirectory=/var/www/website
ExecStart=/var/www/website/systemd/conservancy-www-update.sh

SystemCallFilter=~@clock @cpu-emulation @debug @module @mount @obsolete
CapabilityBoundingSet=
NoNewPrivileges=true

PrivateDevices=true
PrivateNetwork=false
PrivateTmp=true
PrivateUsers=false
ProtectControlGroups=true
ProtectHome=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=strict
ReadWritePaths=/var/www/website