[Unit]
Description=LibreTime API Service
Requires=libretime-api.socket
PartOf=libretime.target

[Service]
NoNewPrivileges=true
CapabilityBoundingSet=
PrivateDevices=true
PrivateTmp=true
PrivateUsers=true
ProtectClock=true
ProtectControlGroups=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectProc=invisible
ProtectSystem=full

Environment=LIBRETIME_CONFIG_FILEPATH=@@CONFIG_FILEPATH@@
Environment=LIBRETIME_LOG_FILEPATH=@@LOG_DIR@@/api.log

Type=notify
KillMode=mixed
ExecStart=@@VENV_DIR@@/bin/gunicorn \
        --workers 4 \
        --worker-class uvicorn.workers.UvicornWorker \
        --log-file - \
        --bind unix:/run/libretime-api.sock \
        libretime_api.asgi
ExecReload=/bin/kill -s HUP $MAINPID
Restart=always

User=libretime
Group=libretime

[Install]
WantedBy=multi-user.target