# Makenotwork systemd service
# Place in /etc/systemd/system/makenotwork.service
#
# Commands:
#   sudo systemctl daemon-reload
#   sudo systemctl enable makenotwork
#   sudo systemctl start makenotwork
#   sudo systemctl status makenotwork
#   journalctl -u makenotwork -f

[Unit]
Description=Makenotwork - Fair creator platform
Documentation=https://makenot.work/docs
After=network.target postgresql.service
Requires=postgresql.service

[Service]
Type=simple
User=makenotwork
Group=makenotwork
WorkingDirectory=/opt/makenotwork
ExecStart=/opt/makenotwork/makenotwork
Restart=always
RestartSec=5
# Exit code 2 = migration failure. Don't restart — operator must intervene.
RestartPreventExitStatus=2

# Environment file with secrets
EnvironmentFile=/opt/makenotwork/.env
Environment=HOME=/opt/makenotwork

# Security hardening
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
PrivateTmp=true
ReadWritePaths=/opt/makenotwork
# Scan-spool tempfiles for streaming large uploads through the malware
# pipeline. systemd creates /var/lib/makenotwork/scan-spool, chowns to
# the service user, and adds it to ReadWritePaths automatically. Path
# is mirrored in `constants::SCAN_SPOOL_DIR`.
StateDirectory=makenotwork/scan-spool
StateDirectoryMode=0700
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
LockPersonality=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
SystemCallArchitectures=native

# Resource limits
LimitNOFILE=65535
MemoryMax=512M

# Logging (goes to journald)
StandardOutput=journal
StandardError=journal
SyslogIdentifier=makenotwork

[Install]
WantedBy=multi-user.target