[Unit]
Description=Server services monitoring
After=network-online.target graphical-session.target

[Service]
Type=simple
EnvironmentFile=%h/.config/private-env/availability-monitor.env
ExecStart=/usr/local/bin/availability-monitor.py 3600

AmbientCapabilities=
CapabilityBoundingSet=
InaccessiblePaths=/home /root
KeyringMode=private
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=true
PrivateIPC=true
PrivateMounts=true
PrivateTmp=true
PrivateUsers=true
ProcSubset=pid
ProtectClock=true
ProtectControlGroups=true
# can't override rw for %t/bus if "true" (completely inaccessible /run)
# rw necessary for notif
ProtectHome=read-only
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectProc=noaccess
ProtectSystem=strict
ReadWritePaths=%t/bus
# AF_UNIX for dbus (notifications), net for checking (duh)
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
SystemCallArchitectures=native
SystemCallFilter=@system-service
UMask=0277

[Install]
WantedBy=multi-user.target