1 files changed, 36 insertions, 0 deletions

diff --git a/healthchecks-clean-db.service b/healthchecks-clean-db.service
new file mode 100644
index 000000000000..6f7079685883
--- /dev/null
+++ b/healthchecks-clean-db.service
@@ -0,0 +1,36 @@
+[Unit]
+Description=Clean healthchecks database
+Documentation=https://github.com/healthchecks/healthchecks
+
+[Service]
+Type=oneshot
+ExecStart=/usr/lib/healthchecks/hc-clean-db
+WorkingDirectory=/var/lib/healthchecks
+User=healthchecks
+Group=healthchecks
+
+NoNewPrivileges=yes
+LimitNOFILE=1048576
+LimitNPROC=64
+UMask=0077
+ProtectSystem=strict
+ProtectHome=yes
+ReadWritePaths=/var/lib/healthchecks
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectHostname=yes
+ProtectClock=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+ProtectControlGroups=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+RemoveIPC=yes
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged @resources
+SystemCallArchitectures=native