[Unit]
Description=ThrillWiki Smart Deployment Service
Documentation=man:thrillwiki-smart-deploy(8)
After=network.target thrillwiki-deployment.service
Wants=network.target
PartOf=thrillwiki-smart-deploy.timer

[Service]
Type=oneshot
User=thrillwiki
Group=thrillwiki
[AWS-SECRET-REMOVED]wiki
[AWS-SECRET-REMOVED]ripts/smart-deploy.sh
TimeoutStartSec=300
TimeoutStopSec=60

# Environment variables - Load from deployment configuration
EnvironmentFile=-[AWS-SECRET-REMOVED]emd/thrillwiki-deployment***REMOVED***
Environment=PROJECT_DIR=/home/thrillwiki/thrillwiki
Environment=SERVICE_NAME=thrillwiki-smart-deploy
Environment=DEPLOYMENT_MODE=timer
Environment=LOG_DIR=/home/thrillwiki/thrillwiki/logs
Environment=PATH=/home/thrillwiki/.local/bin:/home/thrillwiki/.cargo/bin:/usr/local/bin:/usr/bin:/bin
[AWS-SECRET-REMOVED]thrillwiki

# Security settings - Inherited from main deployment service
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
RestrictSUIDSGID=true
RestrictRealtime=true
RestrictNamespaces=true
LockPersonality=true
MemoryDenyWriteExecute=false
RemoveIPC=true

# File system permissions
[AWS-SECRET-REMOVED]ki
[AWS-SECRET-REMOVED]ki/logs
[AWS-SECRET-REMOVED]ki/media
[AWS-SECRET-REMOVED]ki/staticfiles
[AWS-SECRET-REMOVED]ki/uploads
ReadWritePaths=/home/thrillwiki/.cache
ReadWritePaths=/tmp
ReadOnlyPaths=/home/thrillwiki/.github-pat
ReadOnlyPaths=/home/thrillwiki/.ssh
ReadOnlyPaths=/home/thrillwiki/.local

# Resource limits
LimitNOFILE=65536
LimitNPROC=1024
MemoryMax=512M
CPUQuota=50%
TasksMax=256

# Logging configuration
StandardOutput=journal
StandardError=journal
SyslogIdentifier=thrillwiki-smart-deploy
SyslogFacility=daemon
SyslogLevel=info
SyslogLevelPrefix=true

# Capabilities
CapabilityBoundingSet=
AmbientCapabilities=
PrivateDevices=true
ProtectClock=true
ProtectHostname=true

[Install]
WantedBy=multi-user.target