[Unit]
Description=Random seed load/save
Documentation=man:random-seed(8) man:random(4)
DefaultDependencies=no
RequiresMountsFor=/var/lib
Conflicts=shutdown.target
After=systemd-remount-fs.service
Before=sysinit.target shutdown.target
ConditionVirtualization=!container

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/local/sbin/random-seed load
ExecStop=/usr/local/sbin/random-seed save
CapabilityBoundingSet=CAP_SYS_ADMIN
NoNewPrivileges=yes
PrivateDevices=yes
PrivateNetwork=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
LockPersonality=yes
TemporaryFileSystem=/:ro
BindPaths=/var/lib
TimeoutSec=30s

[Install]
WantedBy=sysinit.target