[Unit]
Description=StemeDB WAL Archival Service
Documentation=https://github.com/yourusername/stemedb
After=network.target
Wants=network-online.target

[Service]
Type=oneshot
User=stemedb
Group=stemedb

# Environment file for S3 credentials
EnvironmentFile=-/etc/default/stemedb-backup

# Default environment variables
Environment="STEMEDB_WAL_DIR=/var/lib/stemedb/wal"
Environment="STATE_FILE=/var/lib/stemedb/wal-archival-state.json"
Environment="METRICS_DIR=/var/lib/node_exporter/textfile_collector"

# Execute WAL archival
ExecStart=/usr/local/bin/archive-wal-to-s3.sh

# Timeout after 10 minutes
TimeoutStartSec=600

# Restart on failure (network issues, transient errors)
Restart=on-failure
RestartSec=2min
StartLimitBurst=3
StartLimitIntervalSec=15min

# Hardening
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
ReadOnlyPaths=/var/lib/stemedb/wal
ReadWritePaths=/var/lib/stemedb /var/lib/node_exporter/textfile_collector

# Logging
StandardOutput=journal
StandardError=journal
SyslogIdentifier=stemedb-archive-wal

[Install]
WantedBy=multi-user.target