[Unit]
Description=Zulip Fediverse Authentication
Before=nginx.service

[Service]
# Zulip API key for user with create user rights
Environment=API_KEY=your-api-key
# JWT secret
Environment=SECRET=your-jwt-secret
Environment=PORT=8091
Environment=ZULIP=your-server.tld
Environment=DB=/var/lib/zulip-fedi-auth/db/db.sqlite
Environment=PYTHONUNBUFFERED=1

#ExecStart=/var/lib/zulip-fedi-auth/venv/bin/python3 auth.py
ExecStart=/var/lib/zulip-fedi-auth/venv/bin/gunicorn --bind 127.0.0.1:8091 auth:app
WorkingDirectory=/var/lib/zulip-fedi-auth/zulip-fediverse-auth
User=zulip-fedi-auth
Group=zulip-fedi-auth

PrivateDevices=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
NoNewPrivileges=true
CapabilityBoundingSet=~CAP_SYS_ADMIN
ReadWritePaths=/var/lib/zulip-fedi-auth/db

[Install]
WantedBy=multi-user.target