[Unit]
Description=CIS490 lab-host episode shipper
Documentation=https://maxgit.wg/spectral/CIS490
# WG must be up before the shipper can reach the receiver.
After=network-online.target wg-quick@wg0.service
Wants=network-online.target
Requires=wg-quick@wg0.service

[Service]
# Type=notify so systemd waits for sd_notify("READY=1") before
# considering the unit started, and so WatchdogSec= can kick in.
# Without this, Restart=on-failure only catches process crashes —
# silent stalls (deadlock, blocked I/O past timeout, hung tar
# subprocess) leave a zombie running with the data backlog growing.
Type=notify
NotifyAccess=main
WatchdogSec=180
User=cis490
Group=cis490
WorkingDirectory=/opt/cis490
ExecStart=/opt/cis490/.venv/bin/python -m shipper --config /etc/cis490/lab-host.toml
Restart=on-failure
RestartSec=5

# Hardening
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=/var/lib/cis490
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
LockPersonality=true
RestrictNamespaces=true
RestrictRealtime=true
SystemCallArchitectures=native

[Install]
WantedBy=multi-user.target