[Unit]
Description=Unifi Network
Wants=network.target
After=network.target

[Container]
Image={{ unifi_container_image }}:{{ unifi_version }}
Volume=%S/%N:/var/lib/unifi:rw,U,Z
Volume=%L/%N:/var/log/unifi:rw,U,Z
Network=host
NoNewPrivileges=yes
ReadOnly=yes
ReadOnlyTmpfs=true
Notify=yes

[Service]
StateDirectory=%N
LogsDirectory=%N
TimeoutStartSec=5min
Restart=always
PrivateTmp=yes
ProtectClock=yes
ProtectHome=yes
ProtectKernelModules=yes
ProtectProc=invisible
ProtectSystem=strict
ReadWritePaths=/run
ReadWritePaths=/var/lib/containers/storage
ReadWritePaths=%S/%N
RestrictRealtime=yes
UMask=0077

[Install]
WantedBy=multi-user.target