[Unit]
Description=openlatch-provider runtime daemon
After=network-online.target
Wants=network-online.target
Documentation=https://github.com/OpenLatch/openlatch-provider
Documentation=https://docs.openlatch.ai/provider
[Service]
Type=exec
User=openlatch
Group=openlatch
ExecStart=/usr/local/bin/openlatch-provider listen --port 8443 --no-tls
Environment=RUST_LOG=info
EnvironmentFile=-/etc/openlatch/provider.env
Restart=on-failure
RestartSec=5
LimitNOFILE=65536
# SIGHUP is consumed by the daemon as a reload trigger; systemd's
# default ExecReload uses SIGHUP, so `systemctl reload openlatch-provider`
# refreshes the routes without restarting the process.
ExecReload=/bin/kill -HUP $MAINPID
# Hardening — reasonable defaults; loosen if your deploy needs more.
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=read-only
ReadWritePaths=/var/lib/openlatch /var/log/openlatch
PrivateTmp=true
PrivateDevices=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
RestrictNamespaces=true
RestrictRealtime=true
LockPersonality=true
MemoryDenyWriteExecute=true
SystemCallArchitectures=native
# Logs go to journald by default; structured tracing JSON is non-TTY auto-format.
StandardOutput=journal
StandardError=journal
[Install]
WantedBy=multi-user.target