[Unit]
Description=Traefik DNS Watcher — automatic DNS reconciliation from Traefik routers
Documentation=https://github.com/yourorg/traefik-dns-watcher
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
User=traefik-dns-watcher
Group=traefik-dns-watcher

# Configuration is loaded from this file (copy from .env.example and fill in values).
EnvironmentFile=/etc/traefik-dns-watcher/env

ExecStart=/usr/local/bin/traefik-dns-watcher

# Restart policy: restart on unexpected exit, but not on clean stop (exit code 0).
Restart=on-failure
RestartSec=10s

# Allow the service user to access the Docker socket.
# Ensure the user is a member of the 'docker' group:
#   usermod -aG docker traefik-dns-watcher
SupplementaryGroups=docker

# Logging goes to journald.
StandardOutput=journal
StandardError=journal
SyslogIdentifier=traefik-dns-watcher

# Basic hardening.
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=full

[Install]
WantedBy=multi-user.target