[Unit]
Description=Lego Let's Encrypt client - Fetch a certificate
Documentation=https://go-acme.github.io/lego/
PartOf=lego.target

# Only start if no certificates exist yet
ConditionPathExistsGlob=!/var/lib/quadlets/lego/certificates/*.crt
# and if Lego has been configured !
ConditionPathExists=/etc/quadlets/lego/config.env

[Container]
ContainerName=lego-run

# No need for root privileges
User=10023
Group=10000

# Image
Image=docker.io/goacme/lego:latest
AutoUpdate=registry

# Network configuration
Network=host

# Environment variables from config
EnvironmentFile=/etc/quadlets/lego/config.env

# Volume mounts
Volume=/var/lib/quadlets/lego:/.lego:z

# Be safe, set the umask to 0077 so that private keys are not world-readable
PodmanArgs=--umask=0077

# Command to run
Exec=$LEGO_GLOBAL_ARGS run $LEGO_RUN_ARGS

[Service]
# If the command fails, don't try to restart it.
# Otherwise, we would hammer the Let's Encrypt servers and possibly get banned.
Restart=no

# Getting a certificate may take some time
TimeoutStartSec=600

# This container is a job - run once to completion
Type=oneshot

# These environment variables are sourced to be used by systemd in the Exec* commands
EnvironmentFile=/etc/quadlets/lego/config.env

[Install]
WantedBy=lego.target