[Unit]
Description=Infrastructure Controller (one-shot)
After=network-online.target
Wants=network-online.target

[Service]
Type=oneshot
User=infractl
Group=infractl

EnvironmentFile=/etc/infra-controller/controller.env
Environment=PYTHONUNBUFFERED=1

WorkingDirectory=/opt/infra-controller

NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=/var/run/active-apps /var/lib/infra-controller
CapabilityBoundingSet=

ExecStart=/opt/infra-controller/venv/bin/infra-controller --once

StandardOutput=journal
StandardError=journal
SyslogIdentifier=infra-controller