[Unit]
Description=Penpot exporter
After=syslog.target network.target

[Service]
Type=simple
User={{ penpot_user }}
WorkingDirectory={{ penpot_root_dir }}/exporter
Environment=PENPOT_HTTP_SERVER_PORT={{ penpot_ports['exporter'] }}
ExecStart=/bin/node {{ penpot_root_dir }}/exporter/app.js
PrivateTmp=yes
NoNewPrivileges=true
Restart=on-failure
MemoryLimit=512M
SyslogIdentifier=penpot-exporter
Restart=on-failure
StartLimitInterval=0
RestartSec=30
PrivateDevices=true
ProtectControlGroups=true
ProtectHome=true
ProtectSystem=full
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=strict
RestrictRealtime=true
RestrictNamespaces=true
ReadWritePaths=/run {{ penpot_root_dir }}/data
LockPersonality=true

[Install]
WantedBy=multi-user.target