[Unit]
Description=Back up Samba idmap database

[Service]
Type=oneshot
ExecStart=/usr/bin/tdbbackup -s .bak /var/lib/samba/private/idmap.ldb
ReadWritePaths=/var/lib/samba/private
InaccessiblePaths=/etc

CapabilityBoundingSet=
DeviceAllow=
DevicePolicy=closed
IPAddressAllow=
IPAddressDeny=any
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateDevices=yes
PrivateUsers=yes
PrivateTmp=yes
ProcSubset=pid
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectProc=invisible
ProtectSystem=strict
RestrictAddressFamilies=
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources
UMask=0077