[Unit]
Description=Webmap updater service (import %I to PostgreSQL)
After=postgresql.service webmap-update@%i.target
After=webmap-download@%i.service
Upholds=webmap-update@%i.target

# XXX webmap-download write cached files atomatically but there is no
# guarantee that GDAL/OGR opens them atomically.  It'd therefore make
# sense to use the following Conflict= directive, however systemd skips
# webmap-download@%i.service in that case.
#Conflicts=webmap-download@%i.service

[Service]
User=_webmap-import
Group=_webmap

Nice=15
IOSchedulingClass=idle

Type=oneshot
ExecStart=/usr/local/bin/webmap-import \
    --cachedir=/var/cache/webmap \
    --lockfile=%t/webmap/lock \
    -- %I

RuntimeDirectory=webmap
RuntimeDirectoryPreserve=yes

# Hardening
NoNewPrivileges=yes
ProtectHome=yes
ProtectSystem=strict
PrivateDevices=yes
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
PrivateTmp=yes

[Install]
WantedBy=webmap-update@%i.target