[Unit]
Description=Webmap updater service (publish %I as MVT)
#After=postgresql.service webmap-update@%i.target
#After=webmap-download@%i.service
#After=webmap-import@%i.service
#Upholds=webmap-update@%i.target

[Service]
User=_webmap-publish
Group=_webmap

Nice=15
IOSchedulingClass=idle

Type=oneshot
ExecStart=/usr/local/bin/webmap-publish \
    --lockfile=%t/lock/webmap/lock \
    --destdir=/var/www/webmap/tiles/%i \
    --name=%I \
    --webroot=/var/www/webmap \
    --metadata=/var/www/webmap/tiles/metadata.json \
    --metadata-lockfile=%t/lock/webmap/tiles.lock \
    --compress \
    -- %I

# Hardening
NoNewPrivileges=yes
ProtectHome=yes
ProtectSystem=strict
PrivateDevices=yes
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
ReadWritePaths=/var/www/webmap/tiles
ReadWritePaths=%t/lock/webmap
PrivateTmp=yes

#[Install]
#WantedBy=webmap-update@%i.target