[Unit]
Description=Talk2Me Real-time Translation Service
Documentation=https://github.com/your-repo/talk2me
After=network.target

[Service]
Type=notify
User=talk2me
Group=talk2me
WorkingDirectory=/opt/talk2me
Environment="PATH=/opt/talk2me/venv/bin"
Environment="FLASK_ENV=production"
Environment="PYTHONUNBUFFERED=1"

# Production environment variables
EnvironmentFile=-/opt/talk2me/.env

# Gunicorn command with production settings
ExecStart=/opt/talk2me/venv/bin/gunicorn \
    --config /opt/talk2me/gunicorn_config.py \
    --error-logfile /var/log/talk2me/gunicorn-error.log \
    --access-logfile /var/log/talk2me/gunicorn-access.log \
    --log-level info \
    wsgi:application

# Reload via SIGHUP
ExecReload=/bin/kill -s HUP $MAINPID

# Graceful stop
KillMode=mixed
TimeoutStopSec=30

# Restart policy
Restart=always
RestartSec=10
StartLimitBurst=3
StartLimitInterval=60

# Security settings
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
RestrictRealtime=true
RestrictSUIDSGID=true
LockPersonality=true

# Allow writing to specific directories
ReadWritePaths=/var/log/talk2me /tmp/talk2me_uploads

# Resource limits
LimitNOFILE=65536
LimitNPROC=4096

# Memory limits (adjust based on your system)
MemoryLimit=4G
MemoryHigh=3G

# CPU limits (optional)
# CPUQuota=200%

[Install]
WantedBy=multi-user.target