[Unit]
Description=Karl
After=network.target
Wants=network.target
StartLimitBurst=3
StartLimitIntervalSec=60

[Service]
User=karl
WorkingDirectory=/opt/karl
ExecStart=/opt/karl/.venv/bin/python3 /opt/karl/src/karl/__init__.py

# Graceful reload (sends SIGHUP)
ExecReload=/bin/kill -s HUP $MAINPID

# Restart on failure
Restart=on-failure
RestartSec=5s

# Security hardening
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ReadWritePaths=/var/log/karl /opt/karl/repository

# Logging
StandardOutput=journal
StandardError=journal
SyslogIdentifier=karl

[Install]
WantedBy=multi-user.target