# left4me web application — system unit.
#
# This is the REFERENCE COPY of the deployed unit base body. The live
# source is the systemd/units reactor at
# ~/Projekte/ckn-bw/bundles/left4me/metadata.py (look for
# 'left4me-web.service').
#
# Hardening: see left4me-web.service.d/10-hardening.conf
#
# Threat model + defenses + tests: see docs/superpowers/specs/2026-05-15-hardening-*

[Unit]
Description=left4me web application
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
User=left4me
Group=left4me
WorkingDirectory=/opt/left4me/src
Environment=HOME=/var/lib/left4me PATH=/var/lib/left4me/.venv/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
EnvironmentFile=/etc/left4me/host.env
EnvironmentFile=/etc/left4me/web.env
# Placeholder values for --workers / --threads. Live emission interpolates
# from metadata.get('left4me/gunicorn_workers') and gunicorn_threads.
ExecStart=/var/lib/left4me/.venv/bin/gunicorn --workers 1 --threads 32 --bind 127.0.0.1:8000 'l4d2web.app:create_app()'
Restart=on-failure
RestartSec=3

# Web writes broadly under /var/lib/left4me (DB, instance configs,
# overlays, runtime). Kept inline because it's web-specific
# (server@ uses BindPaths to bind only its instance dir).
ReadWritePaths=/var/lib/left4me

[Install]
WantedBy=multi-user.target