[Unit]
Description=Unifi Network
Wants=network.target
After=network.target

[Container]
Image=lscr.io/linuxserver/unifi-controller
Volume=/var/lib/unifi:/config:rw,Z
NoNewPrivileges=yes
UserNS=auto:gidmapping=911:911:1,uidmapping=911:911:1
VolatileTmp=yes
Notify=yes
Pod=unifi.pod

[Service]
StateDirectory=unifi
TimeoutStartSec=5min
Restart=always
PrivateTmp=yes
ProtectClock=yes
ProtectHome=yes
ProtectKernelModules=yes
ProtectProc=invisible
ProtectSystem=strict
ReadWritePaths=/run
ReadWritePaths=/var/lib/containers/storage
ReadWritePaths=/var/lib/unifi
RestrictRealtime=yes
UMask=0077

[Install]
WantedBy=multi-user.target