{% set rsync_args = [] %}
{% if 'permissions' in whawty_auth_store %}
{%   if 'file-mode' in whawty_auth_store.permissions %}
{%     set _dummy = rsync_args.append(" --chmod=F"~whawty_auth_store.permissions['file-mode']) %}
{%   endif %}
{%   if 'owner' in whawty_auth_store.permissions %}
{%     set _dummy = rsync_args.append(" --chown="~whawty_auth_store.permissions.owner~":"~whawty_auth_store.permissions.group) %}
{%   endif %}
{% endif %}
[Unit]
Description=sync for whawty-auth store {{ whawty_auth_store.name }}

[Service]
Type=oneshot
ExecStart=/usr/bin/rsync -rtpW --delete --delete-delay --delay-updates --partial-dir=.tmp{{ rsync_args | join('') }} -e 'ssh -F "/etc/whawty/auth/.store-{{ whawty_auth_store.name }}-sync/ssh_config"' 'rsync://whawty-auth-server/store' '{{ whawty_auth_store.config.basedir }}'
TimeoutStartSec=40s

# systemd hardening-options
AmbientCapabilities=CAP_CHOWN CAP_FOWNER
CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER
DeviceAllow=/dev/null rw
DevicePolicy=strict
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProtectControlGroups=true
ProtectHome=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=strict
ReadWritePaths={{ whawty_auth_store.config.basedir }}
RemoveIPC=true
RestrictNamespaces=true
RestrictRealtime=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
SystemCallArchitectures=native

[Install]
WantedBy=multi-user.target