[Unit]
Description=Emergency Access Key Server
After=network.target
Wants=network.target

[Service]
Type=simple
User=emergency-access
Group=emergency-access
WorkingDirectory=/opt/emergency-access
Environment=EMERGENCY_CONFIG=/etc/emergency-access/config.json
Environment=PYTHONPATH=/opt/emergency-access
Environment=NTFY_CONFIG=/etc/emergency-access/ntfy.yml
ExecStart=/opt/emergency-access/venv/bin/python /opt/emergency-access/main.py
ExecReload=/bin/kill -HUP $MAINPID
Restart=always
RestartSec=5
StartLimitIntervalSec=300
StartLimitBurst=5
StandardOutput=journal
StandardError=journal
SyslogIdentifier=emergency-access

# Security settings
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=/var/log
ReadOnlyPaths=/etc/emergency-access
PrivateTmp=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
RestrictRealtime=true
RestrictNamespaces=true
LockPersonality=true
MemoryDenyWriteExecute=true
RestrictSUIDSGID=true

# Monitoring and health
KillMode=mixed
TimeoutStopSec=10

# Network restrictions - allow localhost only (Caddy reverse proxy)
IPAddressDeny=any
IPAddressAllow=localhost
IPAddressAllow=127.0.0.0/8

[Install]
WantedBy=multi-user.target