[Unit]
Description=DECNET Canary Token Callback Receiver (HTTP + DNS)
Documentation=https://git.resacachile.cl/anti/DECNET/wiki/Workers#canary
After=network-online.target decnet-bus.service decnet-api.service
Wants=network-online.target decnet-bus.service

[Service]
Type=simple
User={{ user }}
Group={{ group }}
WorkingDirectory={{ install_dir }}
EnvironmentFile=-{{ install_dir }}/.env.local
Environment=DECNET_SYSTEM_LOGS=/var/log/decnet/decnet.canary.log
ExecStart={{ venv_dir }}/bin/decnet canary
StandardOutput=append:/var/log/decnet/decnet.canary.log
StandardError=append:/var/log/decnet/decnet.canary.log

# Bind low-numbered DNS port (53) and HTTP port (80/443) requires
# CAP_NET_BIND_SERVICE; the default DECNET_CANARY_HTTP_PORT (8088)
# and DECNET_CANARY_DNS_PORT (5353) are unprivileged, so the
# capability is granted only when an operator overrides those to
# privileged values via .env.local.
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE

# Persist canary blobs (operator uploads) under /var/lib/decnet —
# the same posture the rest of the workers use for runtime data.
ReadWritePaths={{ install_dir }} /var/log/decnet /var/lib/decnet

# Security Hardening
NoNewPrivileges=yes
ProtectSystem=full
ProtectHome=read-only
PrivateTmp=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectControlGroups=yes
RestrictSUIDSGID=yes
LockPersonality=yes

Restart=on-failure
RestartSec=5
TimeoutStopSec=15

[Install]
WantedBy=multi-user.target