[Unit]
Description=EdgeGuard Management API
Documentation=https://git.netcell-it.de/projekte/edgeguard-native
After=network-online.target postgresql.service keydb-server.service
Wants=network-online.target keydb-server.service
Requires=postgresql.service

[Service]
Type=simple
User=edgeguard
Group=edgeguard
ExecStart=/usr/bin/edgeguard-api
Restart=on-failure
RestartSec=5

# Hardening — API needs to shell out to `sudo systemctl reload haproxy/squid`
# after writing configs. Sandboxing stays strict around fs/net.
NoNewPrivileges=false
ProtectSystem=strict
ProtectHome=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
PrivateTmp=true
PrivateDevices=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
SystemCallFilter=@system-service
ReadWritePaths=/etc/edgeguard /var/lib/edgeguard /var/log/edgeguard

[Install]
WantedBy=multi-user.target