[Unit]
Description=Linux Patch Manager — Web Server
Documentation=https://gitea.moon-dragon.us/echo/linux_patch_manager
After=network.target postgresql.service
Requires=postgresql.service

[Service]
Type=simple
User=patch-manager
Group=patch-manager
WorkingDirectory=/opt/patch-manager

# Configuration
Environment="PATCH_MANAGER_CONFIG=/etc/patch-manager/config.toml"
# Override individual settings via environment if needed:
# Environment="PATCH_MANAGER__DATABASE__URL=postgres://..."

ExecStart=/usr/local/bin/pm-web
Restart=on-failure
RestartSec=5s
TimeoutStopSec=30s

# Security hardening
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=/var/log/patch-manager
PrivateTmp=true
PrivateDevices=true

# Allow binding to port 443 without root
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE

# Logging
StandardOutput=journal
StandardError=journal
SyslogIdentifier=patch-manager-web

[Install]
WantedBy=multi-user.target