[Unit]
Description=MYP Druckerverwaltung HTTPS Production Server (Port 443 Only)
Documentation=https://github.com/MYP-Druckerverwaltung
After=network.target network-online.target
Wants=network-online.target
Requires=network.target

[Service]
Type=simple
User=root
Group=root
WorkingDirectory=/opt/myp

# Produktions-App mit HTTPS-Only auf Port 443
ExecStart=/usr/bin/python3 /opt/myp/app.py
Restart=always
RestartSec=10
StartLimitBurst=5
StartLimitInterval=300

# Umgebungsvariablen für Produktionsbetrieb
Environment=PYTHONUNBUFFERED=1
Environment=FLASK_ENV=production
Environment=FLASK_HOST=0.0.0.0
Environment=FLASK_PORT=443
Environment=PYTHONPATH=/opt/myp
Environment=LC_ALL=C.UTF-8
Environment=LANG=C.UTF-8
Environment=KIOSK_MODE=true
Environment=USE_OPTIMIZED_CONFIG=true
Environment=HTTPS_ONLY=true
Environment=SSL_REQUIRED=true

# Logging-Konfiguration
StandardOutput=journal
StandardError=journal
SyslogIdentifier=myp-production

# Sicherheitseinstellungen für Produktionsbetrieb
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=/opt/myp
ReadWritePaths=/var/log

# Netzwerk-Sicherheit
PrivateNetwork=false
RestrictAddressFamilies=AF_INET AF_INET6
IPAddressDeny=any
IPAddressAllow=localhost
IPAddressAllow=127.0.0.0/8
IPAddressAllow=10.0.0.0/8
IPAddressAllow=192.168.0.0/16
IPAddressAllow=172.16.0.0/12

# Ressourcen-Limits
LimitNOFILE=65536
LimitNPROC=4096
MemoryHigh=512M
MemoryMax=1G
CPUQuota=80%

# Capabilities für Port 443 (privilegierter Port)
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target