[Unit]
Description=CurrenciCombo orchestrator (Node)
Documentation=https://gitea.d-bis.org/d-bis/CurrenciCombo
After=network-online.target postgresql.service redis-server.service redis.service
Wants=network-online.target

[Service]
Type=simple
User=currencicombo
Group=currencicombo
WorkingDirectory=/opt/currencicombo/orchestrator
EnvironmentFile=/etc/currencicombo/orchestrator.env
ExecStart=/usr/bin/node /opt/currencicombo/orchestrator/dist/index.js
Restart=on-failure
RestartSec=5
TimeoutStopSec=20
StandardOutput=journal
StandardError=journal
SyslogIdentifier=currencicombo-orchestrator

# Hardening
NoNewPrivileges=yes
PrivateTmp=yes
ProtectSystem=strict
ProtectHome=yes
ReadWritePaths=/var/log/currencicombo
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectControlGroups=yes
RestrictSUIDSGID=yes
LockPersonality=yes

[Install]
WantedBy=multi-user.target