[Unit]
Description=PDF OCR Hotfolder (Instance: %i)
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
User=pdfocr
Group=pdfocr
ExecStart=/opt/pdf-ocr-hotfolder/venv/bin/python -m pdf_ocr_hotfolder --config /etc/pdf-ocr-hotfolder/%i.toml
Restart=on-failure
RestartSec=5
KillMode=mixed
TimeoutStopSec=30

# Hardening (lockerer wegen AD-User & Datei-ACLs)
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=full
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true

[Install]
WantedBy=multi-user.target