[Unit]
Description=Grafana visualization platform
Documentation=https://grafana.com/docs/
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
User={{ grafana_user }}
Group={{ grafana_group }}

WorkingDirectory=/opt/grafana
ExecStart=/opt/grafana/bin/grafana-server \
  --config=/etc/grafana/grafana.ini \
  --homepath=/opt/grafana

Restart=on-failure
RestartSec=5s

# Security hardening
{% if grafana_systemd_security %}
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths={{ grafana_data_dir }} {{ grafana_logs_dir }}
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
RestrictRealtime=true
RestrictNamespaces=true
LockPersonality=true
{% endif %}

[Install]
WantedBy=multi-user.target