[Unit]
Description=Certificate Update Runner for Dehydrated
ConditionPathExists=/etc/dehydrated/config
After=network-online.target
Wants=acmeresponder.socket

[Service]
Type=oneshot
ExecStartPost=-/usr/bin/find -L @POSTRUNHOOKS_DIR@ -maxdepth 1 -executable -type f -exec {} \;
EnvironmentFile=/etc/dehydrated/config
ExecStart=/usr/bin/su -s /bin/bash -c "/usr/bin/dehydrated --cron" -g $DEHYDRATED_GROUP $DEHYDRATED_USER

# dehydrated --cron will drop permissions and run critical code as dehydrated user.
User=root
Group=root