[Unit]
Description=Clean healthchecks database
Documentation=https://github.com/healthchecks/healthchecks

[Service]
Type=oneshot
ExecStart=/usr/lib/healthchecks/hc-clean-db
WorkingDirectory=/var/lib/healthchecks
User=healthchecks
Group=healthchecks

NoNewPrivileges=yes
LimitNOFILE=1048576
LimitNPROC=64
UMask=0077
ProtectSystem=strict
ProtectHome=yes
ReadWritePaths=/var/lib/healthchecks
PrivateTmp=yes
PrivateDevices=yes
ProtectHostname=yes
ProtectClock=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes
ProtectControlGroups=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
RemoveIPC=yes
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources
SystemCallArchitectures=native