[Unit]
Description=MYP Druckerverwaltung HTTPS Backend (Port 443)
Documentation=https://github.com/MYP-Druckerverwaltung
After=network.target network-online.target
Wants=network-online.target
Requires=network.target

[Service]
Type=simple
User=root
Group=root
WorkingDirectory=/opt/myp
ExecStartPre=/usr/bin/python3 -c "from utils.ssl_config import ensure_ssl_certificates; ensure_ssl_certificates('/opt/myp')"
ExecStart=/usr/bin/python3 -c "import sys; sys.path.insert(0, '/opt/myp'); from app import app; from utils.ssl_config import get_ssl_context; ssl_ctx = get_ssl_context('/opt/myp'); app.run(host='0.0.0.0', port=443, debug=False, ssl_context=ssl_ctx, threaded=True)"
Restart=always
RestartSec=10
StartLimitBurst=5
StartLimitInterval=300

# Umgebungsvariablen für Debian/Linux-Optimierung
Environment=PYTHONUNBUFFERED=1
Environment=FLASK_ENV=production
Environment=FLASK_HOST=0.0.0.0
Environment=FLASK_PORT=443
Environment=PYTHONPATH=/opt/myp
Environment=LC_ALL=C.UTF-8
Environment=LANG=C.UTF-8
Environment=SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
Environment=REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
Environment=CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt

# Logging-Konfiguration
StandardOutput=journal
StandardError=journal
SyslogIdentifier=myp-https

# Sicherheitseinstellungen für Produktionsumgebung
NoNewPrivileges=true
PrivateTmp=false
ProtectSystem=strict
ReadWritePaths=/opt/myp
ReadWritePaths=/var/log
ReadWritePaths=/tmp

# Netzwerk-Capabilities für Port 443 (privilegierter Port)
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target