[Unit]
Description=KubeViz (Go Kubernetes manifest visualizer)
After=network-online.target
Wants=network-online.target

[Container]
ContainerName=kubeviz
Image=localhost/kubeviz:prod
Pull=always

# Bind only on localhost; Traefik handles public ingress.
PublishPort=127.0.0.1:18080:8080

# Runtime config
Environment=ADDR=:8080
Environment=SESSION_TTL=30m
Environment=MAX_UPLOAD_SIZE=5242880
Environment=COOKIE_SECURE=true
Environment=APP_CSP_ENABLED=false
Environment=LOG_LEVEL=info
Environment=GIT_ALLOWED_HOSTS=github.com,gitlab.com,bitbucket.org

# Optional: keep env values in a separate file
# EnvironmentFile=/etc/kubeviz/kubeviz.env

# Security hardening
NoNewPrivileges=true
ReadOnly=true
Tmpfs=/tmp:rw,size=128m,mode=1777
User=65532
Group=65532

# Process / service behavior
HealthCmd=/app/kubeviz --help
HealthInterval=30s
HealthTimeout=5s
HealthRetries=3

[Service]
Restart=always
RestartSec=3
TimeoutStartSec=90
TimeoutStopSec=20

[Install]
WantedBy=multi-user.target