[Unit]
Description=Network AI Orchestrator Service
Documentation=https://git.salmutt.dev/sal/srx-config
After=network-online.target
Wants=network-online.target
RequiresMountsFor=/shared/ai-gitops

[Service]
Type=simple
User=netops
Group=netops
WorkingDirectory=/home/netops/orchestrator

# Load environment variables
EnvironmentFile=-/home/netops/.env

# Python virtual environment activation and script execution
ExecStart=/home/netops/orchestrator/venv/bin/python /home/netops/orchestrator/orchestrator_main.py

# Restart configuration
Restart=on-failure
RestartSec=30
StartLimitInterval=200
StartLimitBurst=5

# Resource limits
MemoryLimit=8G
CPUQuota=50%

# Environment variables
Environment="PYTHONUNBUFFERED=1"
Environment="ORCHESTRATOR_ENV=production"

# Logging
StandardOutput=journal
StandardError=journal
SyslogIdentifier=orchestrator

# Security hardening
PrivateTmp=yes
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=read-only
ReadWritePaths=/shared/ai-gitops /home/netops/orchestrator/logs /var/lib/orchestrator /var/log/orchestrator

[Install]
WantedBy=multi-user.target