[Unit]
Description=Webmap updater service (import ‘%I’ to PostGIS)
After=postgresql.service webmap-update@%i.target
After=webmap-download@%i.service
Upholds=webmap-update@%i.target

[Service]
User=_webmap
Group=_webmap

Nice=15
IOSchedulingClass=idle

Type=oneshot
ExecStart=/usr/local/bin/webmap-import \
    --cachedir=%C/webmap \
    --lockfile=%t/lock/webmap/lock \
    --lockdir-sources=%t/lock/webmap/cache \
    --mvtdir=/var/www/webmap/tiles/%I \
    --mvt-compress \
    -- %I

# Hardening
NoNewPrivileges=yes
ProtectHome=yes
ProtectSystem=strict
PrivateDevices=yes
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
ReadWritePaths=%t/lock/webmap
ReadWritePaths=/var/www/webmap/tiles
PrivateTmp=yes

[Install]
WantedBy=webmap-update@%i.target