[Unit]
Description=Secrets API Server
After=network.target
Wants=network-online.target

[Service]
Type=simple
User=secrets
Group=secrets
WorkingDirectory=/opt/secrets
EnvironmentFile=/opt/secrets/.env
ExecStart=/opt/secrets/secrets-api
Restart=always
RestartSec=5
StandardOutput=journal
StandardError=journal
SyslogIdentifier=secrets-api

# 安全加固
NoNewPrivileges=yes
ProtectSystem=strict
ProtectHome=yes
ReadWritePaths=/opt/secrets
PrivateTmp=yes

[Install]
WantedBy=multi-user.target