[Unit]
Description=Notify infrastructure services that this host is online
ConditionFirstBoot=yes
After=sshd.service
After=network-online.target
Wants=network-online.target
After=systemd-user-sessions.service

[Service]
Type=exec
ExecStart=/usr/libexec/dch/notify-online
# Must run as root in order to read QEMU fw_config, so enable maximum
# sandbox restrictions.
CapabilityBoundingSet=
DeviceAllow=
DevicePolicy=closed
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateDevices=yes
PrivateUsers=yes
PrivateTmp=yes
ProcSubset=pid
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectProc=invisible
ProtectSystem=strict
RestrictAddressFamilies=AF_INET AF_INET6
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources

[Install]
WantedBy=multi-user.target