# ─────────────────────────────────────────────────────────────
# Systemd unit for the Bifrost portal (bifrost-portal.fenja.ai).
# Mirrors the conventions of the existing fenja.service / bifrost-customer.service
# on this box: runs as the `fenja` user, logs to journald, writes only to
# /opt/fenja/data. Astro SSR standalone server (dist/server/entry.mjs).
#
# Install to: /etc/systemd/system/bifrost-portal.service
#
#   sudo cp deploy/bifrost-portal.service /etc/systemd/system/bifrost-portal.service
#   sudo systemctl daemon-reload
#   sudo systemctl enable --now bifrost-portal
#   sudo systemctl status bifrost-portal
#   sudo journalctl -u bifrost-portal -f
# ─────────────────────────────────────────────────────────────

[Unit]
Description=Bifrost portal (Astro SSR)
After=network.target

[Service]
Type=simple
User=fenja
Group=fenja
WorkingDirectory=/opt/bifrost-portal
EnvironmentFile=/opt/bifrost-portal/.env
ExecStart=/usr/bin/node /opt/bifrost-portal/dist/server/entry.mjs
Restart=on-failure
RestartSec=5

# stdout / stderr → journald
StandardOutput=journal
StandardError=journal
SyslogIdentifier=bifrost-portal

# ─── Hardening (matches the other Fenja units) ───
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
RestrictSUIDSGID=true
LockPersonality=true
# Only the shared data dir is writable (db, uploads, backups live here)
ReadWritePaths=/opt/fenja/data

[Install]
WantedBy=multi-user.target