[Unit]
Description=Linux Patch API - Secure Remote Package Management
Documentation=man:linux-patch-api(8)
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
NotifyAccess=all
ExecStart=/usr/bin/linux-patch-api --config /etc/linux_patch_api/config.yaml
Restart=on-failure
RestartSec=5s
TimeoutStopSec=30s

# Process management
RuntimeDirectory=linux-patch-api
RuntimeDirectoryMode=0755

# Security hardening
# NOTE: Package management requires extensive system access. The following
# restrictions have been removed because they block core functionality:
#   - ProtectSystem=strict: Blocks writes to /usr, /etc, /lib where packages install
#   - NoNewPrivileges: Blocks sudo/setuid which apt needs for _apt sandbox
#   - RestrictSUIDSGID: Blocks setuid/setgid which apt needs for _apt sandbox
#   - CapabilityBoundingSet: Drops capabilities that apt needs (SETUID, SETGID, CHOWN, etc.)
#   - AmbientCapabilities: Same issue as CapabilityBoundingSet
# Network security is provided by mTLS + IP whitelist. The service runs as root
# and MUST be able to install/remove/update packages system-wide.
ProtectHome=true
PrivateTmp=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
RestrictNamespaces=true
LockPersonality=true
MemoryDenyWriteExecute=false
RestrictRealtime=true

# System call filtering (whitelist approach)
SystemCallFilter=@system-service
SystemCallErrorNumber=EPERM

# Environment
Environment="RUST_BACKTRACE=1"
Environment="DEBIAN_FRONTEND=noninteractive"
Environment="RUST_LOG=info"

# Logging
StandardOutput=journal
StandardError=journal
SyslogIdentifier=linux-patch-api
SyslogFacility=daemon
SyslogLevel=info

# Resource limits
LimitNOFILE=65536
LimitNPROC=4096

[Install]
WantedBy=multi-user.target