[Unit]
Description=Protect Qubes VM execution environment at startup
Documentation=https://github.com/tasket/Qubes-VM-hardening
After=qubes-sysinit.service
Before=qubes-mount-dirs.service
DefaultDependencies=false
#OnFailure=rescue.target
#OnFailureJobMode=replace-irreversibly

[Service]
Type=oneshot
RemainAfterExit=no
# privdirs must begin with /rw
# Environment="privdirs=/rw/config /rw/usrlocal /rw/bind-dirs"
ExecStart=/usr/lib/qubes/init/vm-boot-protect.sh
Restart=no

[Install]
WantedBy=sysinit.target