[Unit]
Description=Lakehouse-Go storaged — S3-backed object store gateway
Documentation=https://git.agentview.dev/profit/golangLAKEHOUSE
After=network-online.target
Wants=network-online.target
# Operator prereq: MinIO (or AWS S3) reachable at the URL in
# /etc/lakehouse/secrets-go.toml [s3.primary]. Not a systemd unit
# we control, so we just wait for network and let the bind+probe
# in storaged surface unreachable-bucket errors.

[Service]
Type=simple
User=lakehouse
Group=lakehouse
WorkingDirectory=/var/lib/lakehouse
ExecStart=/usr/local/bin/lakehouse/storaged -config /etc/lakehouse/lakehouse.toml -secrets /etc/lakehouse/secrets-go.toml
Restart=on-failure
RestartSec=5

# Per ADR-006 Decision 6.2: auth token from env, not committed TOML.
# Empty AUTH_TOKEN is fine for loopback-only deploys (matches
# requireAuthOnNonLoopback gate at startup).
EnvironmentFile=-/etc/lakehouse/auth.env
EnvironmentFile=-/etc/lakehouse/langfuse.env

# Hardening — minimum needed for the daemon to read its config
# + write its log + open its bind port.
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
PrivateTmp=true
ReadWritePaths=/var/lib/lakehouse /var/log/lakehouse

# Log routing — JSON to journald, structured per slogRequest middleware.
StandardOutput=journal
StandardError=journal
SyslogIdentifier=lakehouse-storaged

[Install]
WantedBy=lakehouse-go.target