[Container]
Image=docker.io/postgres:16-alpine
AutoUpdate=registry
Network=news.network

# environment
Secret=news-postgres-password,target=POSTGRES_PASSWORD,type=env

# storage
VolatileTmp=true
Volume=news-postgres.volume:/var/lib/postgresql/data
Volume=news-postgres-backup.volume:/backup

# security
ReadOnly=true
NoNewPrivileges=true
DropCapability=ALL
AddCapability=CHOWN DAC_OVERRIDE FOWNER SETGID SETUID

[Service]
Restart=always

[Install]
WantedBy=multi-user.target default.target