[Unit]
Description=Fetch Nextcloud database client certificate
Wants=network-online.target
After=network-online.target

[Service]
Type=oneshot
Environment=LOG_LEVEL=debug
ExecStart=/usr/local/libexec/nextcloud-fetch-cert.py
LoadCredential=nextcloud.fetchcert.token
CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_CHOWN
PrivateTmp=yes
ProtectHome=yes
ProtectKernelTunables=yes
ProtectProc=invisible
ProtectSystem=full
ReadWritePaths=/etc/nextcloud