[Unit]
Description=Geodata updater service (import ‘%I’ to PostGIS)
After=postgresql.service geodata-update@%i.target
After=geodata-download@%i.service
Upholds=geodata-update@%i.target

[Service]
User=_geodata
Group=_geodata

Nice=15
IOSchedulingClass=idle

# Point TMPDIR to something that is not a tmpfs as we need to unpack large archives
Environment=TMPDIR=/var/tmp

Type=oneshot
ExecStart=/usr/local/bin/geodata-import \
    --cachedir=%C/geodata \
    --lockfile=%t/lock/geodata/lock \
    --lockdir-sources=%t/lock/geodata/cache \
    --mvtdir=/var/www/webmap/tiles/%I \
    --mvt-compress \
    --metadata-compress \
    -- %I

# Hardening
NoNewPrivileges=yes
ProtectHome=yes
ProtectSystem=strict
PrivateDevices=yes
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
ReadWritePaths=%t/lock/geodata
ReadWritePaths=/var/www/webmap/tiles
PrivateTmp=yes

[Install]
WantedBy=geodata-update@%i.target