[Unit]
Description=Geodata updater service (download ‘%I’)
# Chaining logic from https://serverfault.com/questions/1079993/why-does-my-systemd-timer-only-trigger-once-when-the-unit-is-a-target#answer-1128671
# XXX Looks like Upholds= prevents running a single unit, as it causes
# geodata-update@%i.target to start upon `systemctl start geodata-download@foo.service`
After=network-online.target geodata-update@%i.target
Upholds=geodata-update@%i.target

[Service]
User=_geodata-download
Group=_geodata

Nice=15
IOSchedulingClass=idle

Type=oneshot
ExecStart=/usr/local/bin/geodata-download \
    --cachedir=%C/geodata \
    --lockdir=%t/lock/geodata/cache \
    --no-exit-code \
    --quiet \
    -- %I

# Hardening
NoNewPrivileges=yes
ProtectHome=yes
ProtectSystem=strict
PrivateDevices=yes
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
ReadWritePaths=%C/geodata
ReadWritePaths=%t/lock/geodata/cache

[Install]
WantedBy=geodata-update@%i.target