[Unit]
Description=CIS490 lab-host mTLS leaf cert fetch (idempotent)
Documentation=https://maxgit.wg/spectral/CIS490
After=network-online.target wg-quick@wg0.service
# We don't Want network-online — if the network is down the script
# exits 0 silently and the timer will retry.

[Service]
Type=oneshot
# Runs as root because the script writes /etc/cis490/certs/ (owned by
# root, gid cis490) and may need to systemctl-restart cis490-shipper.
ExecStart=/opt/cis490/scripts/fetch-lab-host-cert.sh
StandardOutput=journal
StandardError=journal

[Install]
# The TIMER is what gets enabled. WantedBy here lets an operator
# `systemctl start cis490-cert-fetch.service` to force a one-shot
# fetch (e.g. right after editing host_id).
WantedBy=multi-user.target