[Unit]
Description=Live video for the AT Protocol. Solving video for everybody forever.
Documentation=https://stream.place/docs
After=network-online.target
Wants=network-online.target
Requires=network.target

[Service]
Type=exec
ExecStart=/usr/bin/streamplace
Restart=always
RestartSec=3
TimeoutStartSec=60
TimeoutStopSec=30

User=streamplace
Group=streamplace

# Environment
Environment=SP_DATA_DIR=/var/lib/streamplace

# Additional environment file for user customization
EnvironmentFile=-/etc/streamplace/streamplace.env

# Grant capability to bind to privileged ports
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE

# Security hardening
NoNewPrivileges=yes
ProtectHome=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectControlGroups=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
RemoveIPC=yes
PrivateTmp=yes

# Resource limits
LimitNOFILE=65536
LimitNPROC=4096

# Logging
StandardOutput=journal
StandardError=journal
SyslogIdentifier=streamplace

# Working directory
WorkingDirectory=/var/lib/streamplace

[Install]
WantedBy=multi-user.target