[Unit]
Description=Certificate Update Runner for Dehydrated
ConditionPathExists=/etc/dehydrated/config
After=network-online.target
Wants=acmeresponder.socket

[Service]
Type=oneshot
ExecStartPre-=/usr/bin/sh -c 'for i in $(find -L @POSTRUNHOOKS_DIR@ -maxdepth 1 -executable -type f); do $i; done;'
ExecStart=/usr/bin/dehydrated --cron

# dehydrated --cron will drop permissions and run critical code as dehydrated user.
User=root
Group=root