[Unit]
Description=OpenNebula Web UI Server
After=syslog.target network.target
After=opennebula.service
Wants=opennebula-novnc.service
AssertFileNotEmpty=/var/lib/one/.one/sunstone_auth

[Service]
Type=simple
Group=oneadmin
User=oneadmin
AmbientCapabilities=CAP_NET_BIND_SERVICE
ExecStartPre=-/usr/sbin/logrotate -f /etc/logrotate.d/opennebula-sunstone -s /var/lib/one/.logrotate.status
ExecStartPre=-/bin/sh -c 'for file in /var/log/one/sunstone*.log; do if [ ! -f "$file.gz" ]; then gzip -9 "$file"; fi; done'
ExecStart=/usr/bin/ruby /usr/lib/one/sunstone/sunstone-server.rb
ReadWriteDirectories=/var/lib/one /var/log/one/
ReadOnlyDirectories=-/var/lib/one/remotes
InaccessibleDirectories=-/var/lib/one/datastores
InaccessibleDirectories=-/var/lib/one/.ssh
InaccessibleDirectories=-/var/lib/one/.ssh-oneprovision
ReadWriteDirectories=/var/tmp
PrivateTmp=no
NoNewPrivileges=yes
PrivateDevices=yes
# ProtectSystem=strict is not known by old systemd, so we set
# full everywhere, and override by strict only where supported.
ProtectSystem=full
ProtectSystem=strict
ProtectHome=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes
StartLimitInterval=60
StartLimitBurst=3
Restart=on-failure
RestartSec=5
SyslogIdentifier=opennebula-sunstone

[Install]
WantedBy=multi-user.target