[Unit]
Description=ward — Kubernetes credential gateway (LDAP/Kerberos/htpasswd)
After=network-online.target
Wants=network-online.target

[Service]
Type=simple

# Adjust or override in /etc/systemd/system/ward.service.d/local.conf
ExecStart=/usr/local/bin/ward \
    --k3s-server=https://YOUR_K3S_HOSTNAME:6443 \
    --addr=:8443

# SIGHUP reloads the htpasswd file without restarting.
ExecReload=/bin/kill -HUP $MAINPID

Restart=on-failure
RestartSec=5s

# Must run as root to read:
#   /var/lib/rancher/k3s/server/tls/client-ca.key
#   /etc/letsencrypt/live/*/privkey.pem
#   /etc/krb5.keytab  (if using Kerberos)
# Tighten by granting group read access to those files instead.
User=root

NoNewPrivileges=yes
ProtectHome=yes
ProtectKernelTunables=yes
ProtectControlGroups=yes
RestrictSUIDSGID=yes

[Install]
WantedBy=multi-user.target