[Unit]
Description=StemeDB Backup Service
Documentation=https://github.com/yourusername/stemedb
After=network.target
Wants=network-online.target

[Service]
Type=oneshot
User=stemedb
Group=stemedb

# Environment file for S3 credentials and configuration
EnvironmentFile=-/etc/default/stemedb-backup

# Default environment variables
Environment="STEMEDB_WAL_DIR=/var/lib/stemedb/wal"
Environment="STEMEDB_DB_DIR=/var/lib/stemedb/db"
Environment="BACKUP_OUTPUT_DIR=/var/backups/stemedb"
Environment="BACKUP_RETENTION=30d"

# Execute backup with retention and S3 upload
ExecStart=/usr/local/bin/backup-stemedb.sh \
    --output ${BACKUP_OUTPUT_DIR} \
    --keep-last ${BACKUP_RETENTION} \
    --upload-s3

# Timeout after 1 hour (for large backups)
TimeoutStartSec=3600

# Restart on failure (network issues, transient errors)
Restart=on-failure
RestartSec=5min
# Maximum 3 retries
StartLimitBurst=3
StartLimitIntervalSec=1h

# Hardening
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=/var/backups/stemedb /var/lib/stemedb

# Logging
StandardOutput=journal
StandardError=journal
SyslogIdentifier=stemedb-backup

[Install]
WantedBy=multi-user.target