[Unit]
Description=Infrastructure Controller (one-shot)
After=network-online.target
Wants=network-online.target

[Service]
Type=oneshot
User=infractl
Group=infractl

EnvironmentFile=/etc/infra-controller/controller.env
Environment=PYTHONUNBUFFERED=1

WorkingDirectory=/opt/infra-controller

NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=read-only
ReadWritePaths=/var/lib/infra-controller /var/log/infra-controller
CapabilityBoundingSet=

ExecStart=/opt/infra-controller/venv/bin/infra-controller --once

StandardOutput=journal
StandardError=journal
SyslogIdentifier=infra-controller