[Unit] Description=Update GeoIP2 and GeoIP Legacy binary databases Wants=network.target After=network.target [Service] Type=oneshot ExecStart=/usr/bin/geoipupdate --config-file /etc/GeoIP.conf NoNewPrivileges=true LockPersonality=true CapabilityBoundingSet= PrivateDevices=true PrivateTmp=true PrivateUsers=true ProtectSystem=strict ProtectHome=true ReadWritePaths=/var/lib/GeoIP MemoryDenyWriteExecute=true RemoveIPC=true RestrictRealtime=true RestrictNamespaces=true RestrictSUIDSGID=true RestrictAddressFamilies=AF_INET RestrictAddressFamilies=AF_INET6 ProtectHostname=true ProtectControlGroups=true ProtectKernelLogs=true ProtectKernelTunables=true ProtectKernelModules=true ProtectClock=true ProtectProc=invisible SystemCallArchitectures=native SystemCallFilter=~@clock SystemCallFilter=~@cpu-emulation SystemCallFilter=~@debug SystemCallFilter=~@module SystemCallFilter=~@mount SystemCallFilter=~@obsolete SystemCallFilter=~@privileged SystemCallFilter=~@raw-io SystemCallFilter=~@reboot SystemCallFilter=~@resources SystemCallFilter=~@swap