[Unit]
Description=MyRoadTrip Fastify API
After=network-online.target redis-server.service
Wants=redis-server.service

[Service]
User=myroadtrip
Group=myroadtrip
WorkingDirectory=/srv/myroadtrip/repo/apps/api
Environment=NODE_ENV=production
Environment=NODE_OPTIONS=--max-old-space-size=4096
EnvironmentFile=/srv/myroadtrip/.env.production
ExecStart=/usr/bin/env pnpm start
Restart=on-failure
RestartSec=5
StandardOutput=append:/var/log/myroadtrip/api.out.log
StandardError=append:/var/log/myroadtrip/api.err.log
LimitNOFILE=65535

# Security hardening
PrivateTmp=yes
ProtectSystem=strict
ReadWritePaths=/var/log/myroadtrip /srv/myroadtrip
NoNewPrivileges=true
ProtectKernelTunables=true
ProtectControlGroups=true
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true

[Install]
WantedBy=multi-user.target