ldorigo/gist:51d6a48d9e207f25df171dff9f9722bc

## gistfile1.txt
[Unit]
Description=Refresh Pacman mirrorlist with Reflector.
Documentation=https://wiki.archlinux.org/index.php/Reflector
Wants=network-online.target
After=network-online.target nss-lookup.target

[Service]
Type=oneshot
ExecStart=/usr/bin/reflector @/etc/xdg/reflector/reflector.conf
CacheDirectory=reflector
# CapabilityBoundingSet=~CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_IPC_OWNER CAP_NET_ADMIN CAP_SYS_TIME CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE CAP_KILL CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SYS_NICE CAP_SYS_RESOURCE CAP_MAC_ADMIN CAP_MAC_OVERRIDE CAP_SYS_BOOT CAP_LINUX_IMMUTABLE CAP_IPC_LOCK CAP_SYS_CHROOT CAP_BLOCK_SUSPEND CAP_LEASE CAP_SYS_PACCT CAP_SYS_TTY_CONFIG CAP_WAKE_ALARM
CapabilityBoundingSet=
Environment=XDG_CACHE_HOME=/var/cache/reflector
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
PrivateUsers=true
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelTunables=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectSystem=strict
ReadOnlyPaths=/etc/xdg/reflector/reflector.conf
ReadWritePaths=/etc/pacman.d/mirrorlist
RemoveIPC=true
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@resources @privileged
UMask=177

[Install]
WantedBy=multi-user.target
	[Unit]
	Description=Refresh Pacman mirrorlist with Reflector.
	Documentation=https://wiki.archlinux.org/index.php/Reflector
	Wants=network-online.target
	After=network-online.target nss-lookup.target

	[Service]
	Type=oneshot
	ExecStart=/usr/bin/reflector @/etc/xdg/reflector/reflector.conf
	CacheDirectory=reflector
	# CapabilityBoundingSet=~CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_IPC_OWNER CAP_NET_ADMIN CAP_SYS_TIME CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE CAP_KILL CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SYS_NICE CAP_SYS_RESOURCE CAP_MAC_ADMIN CAP_MAC_OVERRIDE CAP_SYS_BOOT CAP_LINUX_IMMUTABLE CAP_IPC_LOCK CAP_SYS_CHROOT CAP_BLOCK_SUSPEND CAP_LEASE CAP_SYS_PACCT CAP_SYS_TTY_CONFIG CAP_WAKE_ALARM
	CapabilityBoundingSet=
	Environment=XDG_CACHE_HOME=/var/cache/reflector
	LockPersonality=true
	MemoryDenyWriteExecute=true
	NoNewPrivileges=true
	PrivateDevices=true
	PrivateTmp=true
	PrivateUsers=true
	ProtectClock=true
	ProtectControlGroups=true
	ProtectHome=true
	ProtectHostname=true
	ProtectKernelTunables=true
	ProtectKernelLogs=true
	ProtectKernelModules=true
	ProtectSystem=strict
	ReadOnlyPaths=/etc/xdg/reflector/reflector.conf
	ReadWritePaths=/etc/pacman.d/mirrorlist
	RemoveIPC=true
	RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
	RestrictNamespaces=true
	RestrictRealtime=true
	RestrictSUIDSGID=true
	SystemCallArchitectures=native
	SystemCallFilter=@system-service
	SystemCallFilter=~@resources @privileged
	UMask=177

	[Install]
	WantedBy=multi-user.target