[Unit]
Description={{ vade.app.name }} (web application)
After=network-online.target
Wants=network-online.target
# Auto-restart rate limit
StartLimitIntervalSec=30s
StartLimitBurst=4
[Service]
Type=simple
ExecStart={{ vars.exec_start }}
WorkingDirectory={{ vade.app.paths.storage }}
User={{ vade.app.username }}
Group={{ vade.app.username }}
EnvironmentFile={{ vade.app.paths.secrets }}
Environment="PORT={{ port(vars.port_name if vars.port_name is defined else "main") }}"
{%- if vars.extra_env_vars is defined %}
{%- for key in vars.extra_env_vars %}
Environment="{{ key }}={{ vars.extra_env_vars[key] }}"
{%- endfor %}
{%- endif %}
# Auto-restart
Restart=on-failure
RestartSec=3s
# Restrict filesystem access
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths={{ vade.app.paths.storage }}
# Additional hardening
NoNewPrivileges=true
ProtectProc=invisible
RestrictNamespaces=true
UMask=0077
RestrictSUIDSGID=true
[Install]
WantedBy=multi-user.target