# Gondulf IndieAuth Server - systemd Unit for Rootless Podman
#
# Installation (rootless - recommended):
#   1. Copy this file to ~/.config/systemd/user/gondulf.service
#   2. systemctl --user daemon-reload
#   3. systemctl --user enable --now gondulf
#   4. loginctl enable-linger $USER  # Allow service to run without login
#
# Installation (rootful - not recommended):
#   1. Copy this file to /etc/systemd/system/gondulf.service
#   2. sudo systemctl daemon-reload
#   3. sudo systemctl enable --now gondulf
#
# Management:
#   systemctl --user status gondulf
#   systemctl --user restart gondulf
#   systemctl --user stop gondulf
#   journalctl --user -u gondulf -f
#

[Unit]
Description=Gondulf IndieAuth Server (Rootless Podman)
Documentation=https://github.com/yourusername/gondulf
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
Restart=always
RestartSec=10s
TimeoutStartSec=60s
TimeoutStopSec=30s

# Working directory (adjust to your installation path)
WorkingDirectory=/home/%u/gondulf

# Stop and remove any existing container
ExecStartPre=-/usr/bin/podman stop gondulf
ExecStartPre=-/usr/bin/podman rm gondulf

# Start container
ExecStart=/usr/bin/podman run \
  --name gondulf \
  --rm \
  -p 8000:8000 \
  -v gondulf_data:/data:Z \
  --env-file /home/%u/gondulf/.env \
  --health-cmd "wget --no-verbose --tries=1 --spider http://localhost:8000/health || exit 1" \
  --health-interval 30s \
  --health-timeout 5s \
  --health-retries 3 \
  gondulf:latest

# Stop container gracefully
ExecStop=/usr/bin/podman stop -t 10 gondulf

# Security settings (rootless already provides good isolation)
NoNewPrivileges=true
PrivateTmp=true

[Install]
WantedBy=default.target