[Unit]
Description=Cosmian KMS Server
Documentation=https://github.com/Cosmian/kms
After=network.target
{% if kms.database.typ == "mysql" %}
After=mysql.service
Wants=mysql.service
{% elif kms.database.typ == "postgresql" %}
After=postgresql.service
Wants=postgresql.service
{% elif kms.database.typ == "redis" %}
After=redis.service
Wants=redis.service
{% endif %}

[Service]
Type=simple
User={{ kms.run_user.name }}
Group={{ kms.run_user.group }}
Environment=COSMIAN_KMS_CONF={{ kms.config_path }}/{{ kms.config_file }}
Environment=RUST_LOG={{ kms.log_level }}{% if kms.fips_mode %},cosmian_kms_server=debug{% endif %}

WorkingDirectory={{ kms.work_path }}
ExecStart={{ kms.run_path }} --config-file {{ kms.config_path }}/{{ kms.config_file }}
Restart=always
RestartSec=10

# Security settings
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths={{ kms.work_path }} {{ kms.config_path }}{% if kms.database.typ == "sqlite" %} {{ kms.database.path | dirname }}{% endif %}
CapabilityBoundingSet=CAP_NET_BIND_SERVICE

# Resource limits
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target