# SPDX-License-Identifier: GPL-2.0-only

[Unit]
Description=Generate shutdown-ramfs
DefaultDependencies=no
Before=shutdown.target
ConditionPathExists=/run/initramfs/mkinitcpio-shutdown.conf
ConditionFileIsExecutable=!/run/initramfs/shutdown

[Service]
Type=oneshot
# /tmp/ could be unmounted at this point
# use /run/initcpio-tmp/ as temporary directory
RuntimeDirectory=initcpio-tmp
ExecStart=/usr/bin/mkinitcpio -c /run/initramfs/mkinitcpio-shutdown.conf -d /run/initramfs -k none -t "$RUNTIME_DIRECTORY"

ProtectSystem=strict
ReadWritePaths=/run/initramfs
ProtectHome=yes
ProtectHostname=yes
ProtectClock=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes
ProtectControlGroups=yes
PrivateNetwork=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes