[Unit]
Description=left4me web application
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
User=left4me
Group=left4me
WorkingDirectory=/opt/left4me
Environment=HOME=/var/lib/left4me
Environment=PATH=/opt/left4me/.venv/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
EnvironmentFile=/etc/left4me/host.env
EnvironmentFile=/etc/left4me/web.env
ExecStart=/opt/left4me/.venv/bin/gunicorn --workers 1 --threads 32 --bind 0.0.0.0:8000 'l4d2web.app:create_app()'
Restart=on-failure
RestartSec=3
# NoNewPrivileges intentionally not set: the worker invokes sudo to run
# the left4me-systemctl, left4me-journalctl, and left4me-overlay
# privileged helpers, all setuid via sudo.
# ProtectSystem=full + ReadWritePaths implicitly give this unit a private
# mount namespace, but mount visibility no longer depends on it: overlay
# mounts are performed by the left4me-overlay helper, which nsenters into
# PID 1's mount namespace, so the resulting mount lives in the host
# namespace where the per-instance gameserver units can see it.
ProtectSystem=full
ReadWritePaths=/var/lib/left4me
PrivateTmp=true

[Install]
WantedBy=multi-user.target