# FlaskPaste systemd service unit
# Install: sudo cp flaskpaste.service /etc/systemd/system/
# Enable:  sudo systemctl daemon-reload && sudo systemctl enable --now flaskpaste
#
# Configuration via environment file: /etc/flaskpaste/env
# See README.md for all available environment variables

[Unit]
Description=FlaskPaste REST API pastebin
Documentation=https://github.com/username/flaskpaste
After=network-online.target
Wants=network-online.target

[Service]
Type=exec
User=flaskpaste
Group=flaskpaste
WorkingDirectory=/opt/flaskpaste

# Environment configuration
EnvironmentFile=-/etc/flaskpaste/env

# Gunicorn WSGI server
# Workers = 2 * CPU cores + 1 (adjust based on load)
ExecStart=/opt/flaskpaste/venv/bin/gunicorn \
    --bind 127.0.0.1:5000 \
    --workers 4 \
    --worker-class sync \
    --timeout 30 \
    --keep-alive 5 \
    --max-requests 1000 \
    --max-requests-jitter 50 \
    --access-logfile - \
    --error-logfile - \
    --capture-output \
    wsgi:app

# Restart policy
Restart=on-failure
RestartSec=5s
StartLimitIntervalSec=60
StartLimitBurst=3

# Resource limits
LimitNOFILE=65536
LimitNPROC=4096

# Security hardening (systemd v232+)
NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
ProtectSystem=strict
ProtectHome=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes
ProtectControlGroups=yes
ProtectClock=yes
ProtectHostname=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
RestrictNamespaces=yes
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
LockPersonality=yes
MemoryDenyWriteExecute=yes
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources

# Read-write paths (database, data directory)
ReadWritePaths=/opt/flaskpaste/data

# Capabilities
CapabilityBoundingSet=
AmbientCapabilities=

# Logging
StandardOutput=journal
StandardError=journal
SyslogIdentifier=flaskpaste

[Install]
WantedBy=multi-user.target