[Unit]
Description=Sigvild Wedding Gallery API
After=network.target

[Service]
Type=simple
User={{ sigvild_gallery_user }}
Group={{ sigvild_gallery_user }}
WorkingDirectory={{ sigvild_gallery_home }}
ExecStart={{ sigvild_gallery_binary }} serve --http={{ sigvild_gallery_host }}:{{ sigvild_gallery_port }}

# Environment variables 
Environment="SIGVILD_ENVIRONMENT"="production" # Lets caddy handle CORS
Environment="HOST_USERNAME={{ sigvild_gallery_host_username }}"
Environment="HOST_PASSWORD={{ sigvild_gallery_host_password }}"
Environment="HOST_DISPLAY_NAME=Wedding Host"
Environment="GUEST_USERNAME={{ sigvild_gallery_guest_username }}"
Environment="GUEST_PASSWORD={{ sigvild_gallery_guest_password }}"
Environment="GUEST_DISPLAY_NAME=Wedding Guest"

# Restart configuration
Restart=always
RestartSec=3

# Security sandboxing
NoNewPrivileges=yes
PrivateTmp=yes
ProtectSystem=strict
ProtectHome=yes
ReadWritePaths={{ sigvild_gallery_data_dir }}

# Allow binding to port (if needed)
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target