# systemd unit for the Bifrost portal (bifrost-portal.fenja.ai)
# Install to /etc/systemd/system/bifrost-portal.service
# Then: sudo systemctl daemon-reload && sudo systemctl enable --now bifrost-portal
#
# Assumes:
#   - code checkout at /opt/bifrost-portal (built in place: dist/server/entry.mjs)
#   - environment file at /etc/bifrost-portal.env (chmod 600, see .env.production.example)
#   - a dedicated unprivileged service user `bifrost`
#   - persistent data under /var/lib/bifrost-portal (db + uploads)

[Unit]
Description=Bifrost portal (Astro SSR, Node standalone)
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
User=bifrost
Group=bifrost
WorkingDirectory=/opt/bifrost-portal
EnvironmentFile=/etc/bifrost-portal.env
ExecStart=/usr/bin/node /opt/bifrost-portal/dist/server/entry.mjs
Restart=on-failure
RestartSec=3

# Hardening — the service only needs to read its code and write its data dir.
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=/var/lib/bifrost-portal
ProtectKernelTunables=true
ProtectControlGroups=true
RestrictSUIDSGID=true

[Install]
WantedBy=multi-user.target