[Unit]
Description=Unifi Network
Wants=network.target
After=network.target

[Container]
Image=lscr.io/linuxserver/unifi-controller
Volume=/var/lib/unifi:/config:rw,Z
NoNewPrivileges=yes
UserNS=auto:gidmapping=911:911:1,uidmapping=911:911:1
VolatileTmp=yes
Notify=yes
Pod=unifi.pod
PublishPort=6789:6789
PublishPort=8080:8080
PublishPort=8443:8443
PublishPort=8843:8843
PublishPort=8880:8880

[Service]
TimeoutStartSec=5min
Restart=always
PrivateTmp=yes
ProtectClock=yes
ProtectHome=yes
ProtectKernelModules=yes
ProtectProc=invisible
ProtectSystem=strict
ReadWritePaths=/run
ReadWritePaths=/var/lib/containers/storage
ReadWritePaths=/var/lib/unifi
RestrictRealtime=yes
UMask=0077

[Install]
WantedBy=multi-user.target