[Unit]
Description=Borg Local Sync - Copy Borg repository to local storage
Documentation=man:borg(1)
After=network-online.target
Wants=network-online.target
# Ensure this runs after the main backup has completed
After=borg-backup.service

[Service]
Type=oneshot
User=root
Group=root

# Set up environment
Environment="PATH=/usr/local/bin:/usr/bin:/bin"
Environment="LANG=en_US.UTF-8"
Environment="LC_ALL=en_US.UTF-8"

# Security settings
ProtectSystem=strict
ProtectHome=read-only
ReadWritePaths=/var/log /mnt/borg-backups {{ borg_config_dir }}
PrivateTmp=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectControlGroups=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes

# Resource limits
MemoryMax=2G
CPUQuota=80%
IOWeight=200

# Timeout settings (local sync might take a while for initial copy)
TimeoutStartSec=3600
TimeoutStopSec=300

# Execute the sync script
ExecStart=/usr/local/bin/borg-local-sync.sh

# Logging
StandardOutput=journal
StandardError=journal
SyslogIdentifier=borg-local-sync

[Install]
WantedBy=multi-user.target