# ============================================================================
# WebDAV Server Systemd Service
# Installation: sudo cp webdav.service /etc/systemd/system/
# Enable: sudo systemctl enable webdav
# Start: sudo systemctl start webdav
# Status: sudo systemctl status webdav
# Logs: sudo journalctl -u webdav -f
# ============================================================================

[Unit]
Description=WebDAV Server with aiohttp
Documentation=https://github.com/yourusername/webdav-server
After=network.target

[Service]
Type=notify

# User and group to run the service (create with: sudo useradd -r -s /bin/false webdav)
User=webdav
Group=webdav

# Working directory
WorkingDirectory=/opt/webdav-server

# Environment file
EnvironmentFile=/opt/webdav-server/.env

# Command to start the service (using Gunicorn for production)
ExecStart=/opt/webdav-server/venv/bin/gunicorn main:init_app \
    --config /opt/webdav-server/gunicorn_config.py \
    --bind 0.0.0.0:8080 \
    --worker-class aiohttp.GunicornWebWorker \
    --workers 4 \
    --access-logfile /var/log/webdav/access.log \
    --error-logfile /var/log/webdav/error.log \
    --log-level info

# Alternative: Run with Python directly (for development)
# ExecStart=/opt/webdav-server/venv/bin/python /opt/webdav-server/main.py

# Restart policy
Restart=always
RestartSec=10

# Resource limits
LimitNOFILE=65536
LimitNPROC=4096

# Security hardening
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=/opt/webdav-server/webdav /opt/webdav-server/logs /opt/webdav-server/backups /opt/webdav-server/webdav.db
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
LockPersonality=true
MemoryDenyWriteExecute=true
SystemCallArchitectures=native

# Process properties
Nice=0
IOSchedulingClass=best-effort
IOSchedulingPriority=4

# Standard output and error
StandardOutput=journal
StandardError=journal
SyslogIdentifier=webdav-server

# Watchdog (for monitoring)
WatchdogSec=60s

# Kill mode
KillMode=mixed
KillSignal=SIGTERM
TimeoutStopSec=30s

[Install]
WantedBy=multi-user.target