[Unit]
Description=aitrader Streamlit dashboard
After=network-online.target tailscaled.service
Wants=network-online.target

[Service]
Type=simple
User=aitrader
Group=aitrader
WorkingDirectory=/opt/aitrader
EnvironmentFile=/opt/aitrader/.env
# Bindet sich an alle Interfaces; UFW blockt 8501 öffentlich → erreichbar nur über Tailscale.
# Falls du strikt nur ans tailscale0-Interface binden willst, ersetze --server.address durch die Tailscale-IP.
ExecStart=/opt/aitrader/.venv/bin/streamlit run src/aitrader/dashboard/app.py \
    --server.port 8501 \
    --server.address 0.0.0.0 \
    --server.headless true \
    --browser.gatherUsageStats false
Restart=on-failure
RestartSec=10
StandardOutput=journal
StandardError=journal

NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=false
ReadWritePaths=/opt/aitrader/data
PrivateTmp=true

[Install]
WantedBy=multi-user.target