[Unit]
Description=MYP Backend Service (Python 3.11)
Documentation=https://github.com/myp-project/backend
After=network-online.target
Wants=network-online.target
Before=myp-kiosk.service

[Service]
Type=simple
User=myp
Group=myp
WorkingDirectory=/opt/myp/backend/app
Environment=PYTHONPATH=/opt/myp/backend/app
Environment=FLASK_ENV=production
Environment=FLASK_APP=app.py
Environment=PYTHONUNBUFFERED=1
Environment=PYTHONDONTWRITEBYTECODE=1
ExecStartPre=/bin/sleep 5
ExecStart=/opt/myp/backend/venv/bin/python3.11 app.py --host 0.0.0.0 --port 443 --cert certs/backend.crt --key certs/backend.key
ExecReload=/bin/kill -HUP $MAINPID
Restart=always
RestartSec=10
TimeoutStartSec=60
TimeoutStopSec=30
StandardOutput=journal
StandardError=journal
SyslogIdentifier=myp-backend

# Sicherheitseinstellungen
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
RestrictRealtime=true
RestrictSUIDSGID=true
ReadWritePaths=/opt/myp/backend/app/logs
ReadWritePaths=/opt/myp/backend/app/database
ReadWritePaths=/opt/myp/backend/app/uploads

# Ressourcenlimits
MemoryMax=1G
CPUQuota=80%

[Install]
WantedBy=multi-user.target