[Unit]
Description=Webmap updater service (download %I)
# Chaining logic from https://serverfault.com/questions/1079993/why-does-my-systemd-timer-only-trigger-once-when-the-unit-is-a-target#answer-1128671
# XXX Looks like Upholds= prevents running a single unit, as it causes
# webmap-update@%i.target to start upon `systemctl start webmap-download@foo.service`
After=network-online.target webmap-update@%i.target
Upholds=webmap-update@%i.target

[Service]
User=_webmap-download
Group=_webmap

Nice=15
IOSchedulingClass=idle

Type=oneshot
ExecStart=/usr/local/bin/webmap-download \
    --cachedir=/var/cache/webmap \
    --lockdir=%t/webmap-download \
    --no-exit-code \
    --quiet \
    -- %I

RuntimeDirectory=webmap-download
RuntimeDirectoryPreserve=yes

# Hardening
NoNewPrivileges=yes
ProtectHome=yes
ProtectSystem=strict
PrivateDevices=yes
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
ReadWritePaths=/var/cache/webmap

[Install]
WantedBy=webmap-update@%i.target