[Unit]
Description=Veola price tracker
After=network-online.target
Wants=network-online.target

[Service]
Type=simple

# --- Edit these for your host ---------------------------------------------
# User must be able to read config.toml and write WorkingDirectory (sqlite WAL).
User=veola
Group=veola
WorkingDirectory=/var/lib/veola
ExecStart=/usr/local/bin/veola-bin -config /etc/veola/config.toml
# --------------------------------------------------------------------------

Restart=on-failure
RestartSec=5s
# SIGINT triggers the graceful-shutdown path in main.go (matches Ctrl-C).
KillSignal=SIGINT
TimeoutStopSec=45s

# Hardening. Veola only needs to read its config, write its sqlite db, and
# reach the network. Everything else can be locked down.
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
ProtectClock=true
ProtectHostname=true
ProtectProc=invisible
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
LockPersonality=true
MemoryDenyWriteExecute=true
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
CapabilityBoundingSet=
AmbientCapabilities=
# Allow writes only to the sqlite db directory.
ReadWritePaths=/var/lib/veola
UMask=0027

[Install]
WantedBy=multi-user.target