# Managed by Ansible — do not edit by hand.
# veza_app role, templates/veza-backend.service.j2.
# Released SHA: {{ veza_release_sha }} ; color: {{ veza_target_color }}
[Unit]
Description=Veza backend API (Go) — color {{ veza_target_color }}, sha {{ veza_release_sha[:12] }}
Documentation=https://veza.fr/docs
After=network-online.target
Wants=network-online.target
AssertPathExists={{ veza_app_current_link }}/{{ veza_app_binary_name }}

[Service]
Type=simple
User={{ veza_app_user }}
Group={{ veza_app_group }}
EnvironmentFile=-{{ veza_app_env_file }}
WorkingDirectory={{ veza_app_current_link }}
ExecStart={{ veza_app_current_link }}/{{ veza_app_binary_name }}
Restart=on-failure
RestartSec=5s
LimitNOFILE=65535

# Hardening — same baseline as the other Ansible-managed daemons.
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths={{ veza_app_install_dir }} {{ veza_log_root }} {{ veza_state_root }}
PrivateTmp=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true

[Install]
WantedBy=multi-user.target