# Managed by Ansible — do not edit by hand.
# v1.0.9 W4 Day 19. The {{ backend_api_binary_name }} binary itself
# is deployed out-of-band (Makefile target + incus file push) ; this
# unit only knows where to find it.
[Unit]
Description=Veza backend API (Go) — instance on {{ ansible_hostname }}
Documentation=https://veza.fr/docs
After=network-online.target
Wants=network-online.target
AssertPathExists={{ backend_api_install_dir }}/{{ backend_api_binary_name }}

[Service]
Type=simple
User={{ backend_api_user }}
Group={{ backend_api_user }}
EnvironmentFile=-{{ backend_api_env_file }}
WorkingDirectory={{ backend_api_install_dir }}
ExecStart={{ backend_api_install_dir }}/{{ backend_api_binary_name }}
Restart=on-failure
RestartSec=5s
LimitNOFILE=65535

# Hardening — same baseline as the other Ansible-managed daemons.
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths={{ backend_api_install_dir }} {{ backend_api_log_dir }}
PrivateTmp=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true

[Install]
WantedBy=multi-user.target