[Unit]
Description=StemeDB Backup Verification Service
Documentation=https://github.com/yourusername/stemedb
After=network.target

[Service]
Type=oneshot
User=stemedb
Group=stemedb

# Environment
Environment="BACKUP_DIR=/var/backups/stemedb"
Environment="METRICS_DIR=/var/lib/node_exporter/textfile_collector"

# Execute verification on latest backup
ExecStart=/usr/local/bin/verify-backup.sh ${BACKUP_DIR}

# Timeout after 30 minutes
TimeoutStartSec=1800

# Don't restart on failure (verification failure should alert)
Restart=no

# Hardening
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
ReadOnlyPaths=/var/backups/stemedb
ReadWritePaths=/var/lib/node_exporter/textfile_collector

# Logging
StandardOutput=journal
StandardError=journal
SyslogIdentifier=stemedb-verify-backup

[Install]
WantedBy=multi-user.target