[Unit]
Description=ThrillWiki Complete Deployment Automation Service
Documentation=man:thrillwiki-deployment(8)
After=network.target network-online.target
Wants=network-online.target
Before=thrillwiki-smart-deploy.timer
PartOf=thrillwiki-smart-deploy.timer

[Service]
Type=simple
User=thrillwiki
Group=thrillwiki
[AWS-SECRET-REMOVED]wiki
[AWS-SECRET-REMOVED]ripts/vm/deploy-automation.sh
ExecStop=/bin/kill -TERM $MAINPID
ExecReload=/bin/kill -HUP $MAINPID
Restart=always
RestartSec=30
KillMode=mixed
KillSignal=SIGTERM
TimeoutStopSec=120
TimeoutStartSec=180
StartLimitIntervalSec=600
StartLimitBurst=3

# Environment variables - Load from file for security and preset integration
EnvironmentFile=-[AWS-SECRET-REMOVED]emd/thrillwiki-deployment***REMOVED***
Environment=PROJECT_DIR=/home/thrillwiki/thrillwiki
Environment=SERVICE_NAME=thrillwiki-deployment
Environment=GITHUB_REPO=origin
Environment=GITHUB_BRANCH=main
Environment=DEPLOYMENT_MODE=automated
Environment=LOG_DIR=/home/thrillwiki/thrillwiki/logs
Environment=MAX_LOG_SIZE=10485760
Environment=SERVER_HOST=0.0.0.0
Environment=SERVER_PORT=8000
Environment=PATH=/home/thrillwiki/.local/bin:/home/thrillwiki/.cargo/bin:/usr/local/bin:/usr/bin:/bin
[AWS-SECRET-REMOVED]thrillwiki

# Security settings - Enhanced hardening for deployment automation
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
RestrictSUIDSGID=true
RestrictRealtime=true
RestrictNamespaces=true
LockPersonality=true
MemoryDenyWriteExecute=false
RemoveIPC=true

# File system permissions - Allow access to necessary directories
[AWS-SECRET-REMOVED]ki
[AWS-SECRET-REMOVED]ki/logs
[AWS-SECRET-REMOVED]ki/media
[AWS-SECRET-REMOVED]ki/staticfiles
[AWS-SECRET-REMOVED]ki/uploads
ReadWritePaths=/home/thrillwiki/.cache
ReadWritePaths=/tmp
ReadOnlyPaths=/home/thrillwiki/.github-pat
ReadOnlyPaths=/home/thrillwiki/.ssh
ReadOnlyPaths=/home/thrillwiki/.local

# Resource limits - Appropriate for deployment automation
LimitNOFILE=65536
LimitNPROC=2048
MemoryMax=1G
CPUQuota=75%
TasksMax=512

# Timeouts and watchdog
WatchdogSec=600
RuntimeMaxSec=0

# Logging configuration
StandardOutput=journal
StandardError=journal
SyslogIdentifier=thrillwiki-deployment
SyslogFacility=daemon
SyslogLevel=info
SyslogLevelPrefix=true

# Enhanced logging for debugging
LogsDirectory=thrillwiki-deployment
LogsDirectoryMode=0755
StateDirectory=thrillwiki-deployment
StateDirectoryMode=0755
RuntimeDirectory=thrillwiki-deployment
RuntimeDirectoryMode=0755

# Capabilities - Minimal required capabilities
CapabilityBoundingSet=
AmbientCapabilities=
PrivateDevices=true
ProtectClock=true
ProtectHostname=true

[Install]
WantedBy=multi-user.target
Also=thrillwiki-smart-deploy.timer