#  SPDX-License-Identifier: GPL-3.0
#  Denis Kanuf <https://denkn.at>
#  Based on systemd-nspawn@.service

[Unit]
Description=OctoPrint Container for %i
Documentation=man:systemd-nspawn(1)
PartOf=machines.target
Before=machines.target
After=network.target systemd-resolved.service
RequiresMountsFor=/var/lib/machines
BindTo=dev-%i.device

[Service]
ExecStart=/usr/bin/systemd-nspawn --quiet --keep-unit --boot --link-journal=try-guest \
	--settings=override \
	--directory=/var/lib/machines/octoprint@ttyUSB0 --template=/var/lib/machines/octoprint-template \
	--overlay=/var/lib/machines/octoprint/etc:/var/lib/machines/octoprint@%i/etc:/etc \
	--bind-ro=/var/lib/machines/octoprint/usr:/usr --bind=/dev/%i --machine=%i --hostname=%i
KillMode=mixed
Type=notify
RestartForceExitStatus=133
SuccessExitStatus=133
WatchdogSec=3min
Slice=machine.slice
Delegate=yes
TasksMax=16384

# Enforce a strict device policy, similar to the one nspawn configures when it
# allocates its own scope unit. Make sure to keep these policies in sync if you
# change them!
DevicePolicy=closed
DeviceAllow=/dev/net/tun rwm
DeviceAllow=char-pts rw

# nspawn itself needs access to /dev/loop-control and /dev/loop, to implement
# the --image= option. Add these here, too.
DeviceAllow=/dev/loop-control rw
DeviceAllow=block-loop rw
DeviceAllow=block-blkext rw

# nspawn can set up LUKS encrypted loopback files, in which case it needs
# access to /dev/mapper/control and the block devices /dev/mapper/*.
DeviceAllow=/dev/mapper/control rw
DeviceAllow=block-device-mapper rw

# octoprint needs access to serial-interfaces.
DeviceAllow=/dev/%i rw
DeviceAllow=char-ttyUSB rw

[Install]
WantedBy=machines.target