[Unit]
Description=Update Spamhaus lists
# This service will fail if firewalld is not running so we use Requires to make
# sure that firewalld is started.
Requires=firewalld.service
# Make sure the network is up and firewalld is started
After=network-online.target firewalld.service
Wants=network-online.target update-spamhaus-lists.timer

[Service]
# https://www.ctrl.blog/entry/systemd-service-hardening.html
# Doesn't need access to /home or /root
ProtectHome=true
# Possibly only works on Ubuntu 18.04+
ProtectKernelTunables=true
ProtectSystem=full
# Newer systemd can use ReadWritePaths to list files, but this works everywhere
ReadWriteDirectories=/etc/firewalld/ipsets
PrivateTmp=true
WorkingDirectory=/var/tmp

SyslogIdentifier=update-spamhaus-lists
ExecStart=/usr/bin/flock -x update-spamhaus-lists.lck \
          /usr/local/bin/update-spamhaus-lists.sh

[Install]
WantedBy=multi-user.target