[Unit]
Description=DECNET Fleet Reconciler (converges decnet-state.json ↔ fleet_deckies DB ↔ docker)
Documentation=https://git.resacachile.cl/anti/DECNET/wiki/Workers#reconciler
After=network-online.target decnet-bus.service
Wants=network-online.target decnet-bus.service

[Service]
Type=simple
User={{ user }}
Group={{ group }}
WorkingDirectory={{ install_dir }}
EnvironmentFile=-{{ install_dir }}/.env.local
Environment=DECNET_SYSTEM_LOGS=/var/log/decnet/decnet.reconciler.log
ExecStart={{ venv_dir }}/bin/decnet reconcile
StandardOutput=append:/var/log/decnet/decnet.reconciler.log
StandardError=append:/var/log/decnet/decnet.reconciler.log

# The reconciler queries the docker daemon (via `docker.from_env()`) to
# observe per-container state.  Membership in the docker group lets it
# read /var/run/docker.sock without root.  It does NOT exec into
# containers, bind to the network, or spawn new containers.
SupplementaryGroups=docker

CapabilityBoundingSet=
AmbientCapabilities=

# Security Hardening
NoNewPrivileges=yes
ProtectSystem=full
ProtectHome=read-only
PrivateTmp=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectControlGroups=yes
RestrictSUIDSGID=yes
LockPersonality=yes
# Read-only access to /var/lib/decnet so we can read decnet-state.json.
# Read-write access only to install_dir + log dir.
ReadOnlyPaths=/var/lib/decnet
ReadWritePaths={{ install_dir }} /var/log/decnet

Restart=on-failure
RestartSec=5
TimeoutStopSec=15

[Install]
WantedBy=multi-user.target