[Unit]
Description=Unifi Network
Wants=network.target
After=network.target

[Container]
Image={{ unifi_container_image }}:{{ unifi_version }}
Volume={{ unifi_storage_path }}:/config:rw,Z
Network=host
NoNewPrivileges=yes
UserNS=auto:gidmapping=911:911:1,uidmapping=911:911:1
VolatileTmp=yes
Notify=yes

[Service]
Restart=always
PrivateTmp=yes
ProtectClock=yes
ProtectHome=yes
ProtectKernelModules=yes
ProtectProc=invisible
ProtectSystem=strict
ReadWritePaths=/run
ReadWritePaths=/var/lib/containers/storage
ReadWritePaths={{ unifi_storage_path }}
RestrictRealtime=yes
UMask=0077

[Install]
WantedBy=multi-user.target