[Unit]
Description=Update nextcloud news feeds
After=network.target network-online.target

[Service]
CapabilityBoundingSet=
DeviceAllow=
DevicePolicy=closed
Environment=NEXTCLOUD_CONFIG_DIR=/etc/webapps/nextcloud/config
ExecStart=/usr/bin/nextcloud-news-updater -c /etc/webapps/nextcloud/news/nextcloud-news-updater.ini
Group=http
LockPersonality=true
NoNewPrivileges=true
PrivateTmp=true
PrivateDevices=true
PrivateUsers=true
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=strict
ReadWritePaths=/etc/webapps/nextcloud
RemoveIPC=true
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
SystemCallArchitectures=native
SystemCallFilter=@system-service
UMask=007
User=http

[Install]
WantedBy=multi-user.target