[Unit]
Description=No as a Service (NaaS)
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
Restart=always
RestartSec=10
TimeoutStopSec=30

# User configuration (adjust as needed)
User=naas
Group=naas

# Environment configuration
Environment="PORT=8080"
Environment="BUILDAH_FORMAT=docker"

# Container management
ExecStartPre=/usr/bin/podman rm -f naas-container 2>/dev/null || true
ExecStartPre=/usr/bin/podman build -t naas:latest /opt/naas

ExecStart=/usr/bin/podman run \
  --name naas-container \
  --rm \
  --network=host \
  --read-only \
  --security-opt no-new-privileges \
  --cap-drop ALL \
  --cap-add NET_BIND_SERVICE \
  -e PORT=8080 \
  naas:latest

ExecStop=/usr/bin/podman stop naas-container
ExecStopPost=/usr/bin/podman rm -f naas-container 2>/dev/null || true

# Security settings
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=

# Resource limits
MemoryLimit=256M
CPUQuota=50%

[Install]
WantedBy=multi-user.target