[Unit]
Description=sync for whawty-auth store {{ item.key }}

[Service]
Type=simple
Restart=always
ExecStart=/etc/whawty/auth/.store-{{ item.key }}-sync/run.sh

# systemd hardening-options
AmbientCapabilities=CAP_CHOWN CAP_FOWNER
CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER
DeviceAllow=/dev/null rw
DevicePolicy=strict
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProtectControlGroups=true
ProtectHome=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=strict
ReadWritePaths={{ item.value.config.basedir }}{% if (item.value.sync.prometheus | default(False)) %} /var/lib/prometheus-node-exporter/textfile-collector/{% endif %}{{ '' }}
RemoveIPC=true
RestrictNamespaces=true
RestrictRealtime=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
SystemCallArchitectures=native

[Install]
WantedBy=multi-user.target