[Unit]
Description=MYP Backend Flask Application
Documentation=https://github.com/your-org/myp
After=network.target

[Service]
Type=notify
User=myp
Group=myp
WorkingDirectory=/opt/myp/backend
Environment=PATH=/opt/myp/venv/bin
Environment=FLASK_ENV=production
ExecStart=/opt/myp/venv/bin/gunicorn --workers=4 --worker-class=sync --bind=0.0.0.0:5000 --timeout=30 --keep-alive=5 --max-requests=1000 --max-requests-jitter=100 --preload --access-logfile=logs/access.log --error-logfile=logs/error.log --log-level=info --capture-output --enable-stdio-inheritance wsgi:application
ExecReload=/bin/kill -s HUP $MAINPID
KillMode=mixed
TimeoutStopSec=5
PrivateTmp=true
Restart=on-failure
RestartSec=10

# Security settings
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=/opt/myp/backend/logs /opt/myp/backend/instance
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true

# Logging
StandardOutput=journal
StandardError=journal
SyslogIdentifier=myp-backend

[Install]
WantedBy=multi-user.target