# Sando daemon systemd service
# Place at /etc/systemd/system/sandod.service on the Sando host (fw13).
#
# Commands:
#   sudo systemctl daemon-reload
#   sudo systemctl enable sandod
#   sudo systemctl start sandod
#   sudo systemctl status sandod
#   journalctl -u sandod -f

[Unit]
Description=Sando deploy controller
Documentation=https://github.com/maxjmath/MNW
After=network.target postgresql.service
Wants=postgresql.service

[Service]
Type=simple
User=sando
Group=sando
WorkingDirectory=/srv/sando
ExecStart=/usr/local/bin/sandod
Restart=on-failure
RestartSec=5

Environment=SANDO_CONFIG=/etc/sando/sando-daemon.toml
Environment=PATH=/srv/sando/.cargo/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Environment=HOME=/srv/sando
EnvironmentFile=-/etc/sando/sando.env

# Security hardening. Sando needs ssh outbound, git over fs, postgres over
# unix socket, and read/write on its own state dirs.
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
PrivateTmp=true
ReadWritePaths=/srv/sando
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
LockPersonality=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
SystemCallArchitectures=native

LimitNOFILE=65535

StandardOutput=journal
StandardError=journal
SyslogIdentifier=sandod

[Install]
WantedBy=multi-user.target