[Unit]
Description=Karl
After=network.target
Wants=network.target
StartLimitBurst=3
StartLimitIntervalSec=60

[Service]
User=karl
WorkingDirectory=/home/karl/app
ExecStart=/home/karl/app/venv/bin/gunicorn \
    -c /home/karl/app/gunicorn.conf.py \
    app.main:app

# Graceful reload (sends SIGHUP)
ExecReload=/bin/kill -s HUP $MAINPID

# Restart on failure
Restart=on-failure
RestartSec=5s

# Security hardening
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ReadWritePaths=/var/log/karl /tmp

# Logging
StandardOutput=journal
StandardError=journal
SyslogIdentifier=karl

[Install]
WantedBy=multi-user.target