#
# Systemd unit file for Apache Tomcat
#

[Unit]
Description=Apache Tomcat {{ tomcat_version}} Web Application Server
After=syslog.target network.target
StartLimitIntervalSec=500
StartLimitBurst=5
RequiresMountsFor={{ tomcat_m_instances_logdir_base }}/{{ item.http_port }} {{ item.instance_path }}

[Service]
{% if limits_nofile_value is defined %}
LimitNOFILE={{ limits_nofile_value }}
{% endif %}
Environment="CATALINA_HOME=/usr/share/tomcat{{ tomcat_version }}"
Environment="CATALINA_BASE={{ item.instance_path }}"
Environment="CATALINA_TMPDIR={{ item.catalina_tmp_directory }}"
Environment="JAVA_HOME={{ item.java_home }}"
Environment="JRE_HOME={{ item.java_home }}"
Type=simple
ExecStartPre=+/usr/libexec/tomcat{{ tomcat_version}}/tomcat-update-policy.sh
ExecStart=/bin/sh /usr/libexec/tomcat{{ tomcat_version }}/tomcat-instance-{{ item.http_port }}-start.sh
SuccessExitStatus=143 0
RestartSec=10
Restart=on-failure
# Logging
SyslogIdentifier=tomcat{{ tomcat_version }}

User={{ item.user }}
Group={{ item.user }}
{% if tomcat_systemd_security %}
PrivateTmp=yes
AmbientCapabilities=CAP_NET_BIND_SERVICE
NoNewPrivileges=true
CacheDirectory={{ tomcat_m_cache_base }}/{{ item.http_port }}
CacheDirectoryMode=750
ProtectSystem=strict
ReadWritePaths={{ item.instance_path }}/conf/Catalina/
ReadWritePaths={{ item.instance_path }}/webapps
ReadWritePaths={{ item.instance_path }}/lib
ReadWritePaths={{ tomcat_m_instances_logdir_base }}/{{ item.http_port }}
{% for path in tomcat_systemd_additional_rw_paths %}
ReadWritePaths={{ path }}
{% endfor %}

{% if tomcat_systemd_security_enhanced %}
ProtectSystem=strict
ProtectHome=yes
PrivateDevices=yes
PrivateUsers=yes
ProtectKernelTunables=yes
ProtectKernelLogs=yes
RestrictAddressFamilies=AF_INET6 AF_INET
SystemCallArchitectures=native
SystemCallFilter=@system-service
{% endif %}
{% endif %}

[Install]
WantedBy=multi-user.target