[Unit]
Description=Minecraft frequent backup (Class A — playerdata + DBs, every 5 min)
Documentation=https://git.s8n.ru/s8n/minecraft-server/src/branch/main/BACKUP-STRATEGY.md
After=docker.service
Wants=docker.service

[Service]
Type=oneshot
User=user
Group=user
EnvironmentFile=/etc/mc-backup.env
ExecStart=/usr/local/bin/restic-backup-playerdata.sh
Nice=10
IOSchedulingClass=best-effort
IOSchedulingPriority=7

# Hardening — restic only needs read on /opt/docker/minecraft and
# write under TARGET_HOME/restic + /var/lib/mc-backup + /var/log.
ProtectSystem=strict
ProtectHome=read-only
ReadOnlyPaths=/opt/docker/minecraft
ReadWritePaths=/home/user/restic /var/lib/mc-backup /var/log
PrivateTmp=true
NoNewPrivileges=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
RestrictSUIDSGID=true
LockPersonality=true