[Unit]
Description=ReBreak AdGuard Handshake Watcher
Documentation=https://github.com/chahinebrini/rebreak-monorepo
# Start after network and AdGuard's docker container are up.
After=network-online.target docker.service
Wants=network-online.target

[Service]
Type=simple
User=root
WorkingDirectory=/opt/rebreak-handshake-watcher

# ── Secrets via Infisical ────────────────────────────────────────────────────
# HANDSHAKE_SECRET must be injected at runtime.
# On this server, load it from Infisical via a wrapper or
# write it into /etc/rebreak-handshake-watcher.env (chmod 600, root only)
# during deploy. The .env file is gitignored — never committed.
#
# Format of /etc/rebreak-handshake-watcher.env:
#   HANDSHAKE_SECRET=<32hex from Infisical>
#   BACKEND_URL=https://staging.rebreak.org
#   QUERYLOG_PATH=/opt/adguardhome/data/querylog.json
#
EnvironmentFile=/etc/rebreak-handshake-watcher.env

ExecStart=/usr/bin/python3 /opt/rebreak-handshake-watcher/watcher.py

# Restart on any exit (crash, SIGKILL, etc.) after 5s
Restart=always
RestartSec=5s

# Logging goes to journald automatically (no extra config needed)
StandardOutput=journal
StandardError=journal
SyslogIdentifier=rebreak-handshake-watcher

# Harden: no new privileges, read-only filesystem except for runtime state
NoNewPrivileges=true
PrivateTmp=true

[Install]
WantedBy=multi-user.target