[Unit]
Description=Keboola Data Analyst Telegram Notification Bot
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
User=deploy
Group=data-ops
WorkingDirectory=/opt/data-analyst/repo
ExecStart=/opt/data-analyst/.venv/bin/python -m server.telegram_bot.bot
Restart=always
RestartSec=10

# Environment (webapp .env + Keboola .env with bot token)
EnvironmentFile=/opt/data-analyst/.env
EnvironmentFile=/opt/data-analyst/repo/.env

# Socket directory: /run/notify-bot/ (mode 0755, accessible to all analysts)
RuntimeDirectory=notify-bot
RuntimeDirectoryMode=0755

# Security hardening
NoNewPrivileges=false  # Bot needs sudo -u to run user scripts on demand
ProtectSystem=strict
ProtectHome=read-only
ReadWritePaths=/data/notifications /tmp
PrivateTmp=false  # Bot must read image files from users' /tmp/

[Install]
WantedBy=multi-user.target