Qubes-VM-hardening/vm-boot-protect.service

[Unit]
Description=Protect Qubes VM execution environment at startup
Documentation=https://github.com/tasket/Qubes-VM-hardening
After=qubes-sysinit.service
Before=qubes-mount-dirs.service
ConditionPathExists=|/var/run/qubes-service/vm-boot-protect
ConditionPathExists=|/var/run/qubes-service/vm-boot-protect-root
ConditionPathExists=|/var/run/qubes-service/vm-boot-protect-cli
DefaultDependencies=false
#OnFailure=rescue.target
#OnFailureJobMode=replace-irreversibly

[Service]
Type=oneshot
RemainAfterExit=no
# privdirs must begin with /rw
# Environment="privdirs=/rw/config /rw/usrlocal /rw/bind-dirs"
ExecStart=/usr/lib/qubes/init/vm-boot-protect.sh
Restart=no

[Install]
WantedBy=sysinit.target