metacrypt/deploy/systemd/metacrypt-backup.service

[Unit]
Description=Metacrypt database backup
After=metacrypt.service

[Service]
Type=oneshot
User=metacrypt
Group=metacrypt
ExecStart=/usr/local/bin/metacrypt snapshot --config /srv/metacrypt/metacrypt.toml --output /srv/metacrypt/backups/metacrypt-%i.db

NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
PrivateTmp=true
ReadWritePaths=/srv/metacrypt