Security

[Unit]
Description=Konduktor Agent Control Plane
Documentation=https://github.com/yakkomajuri/konduktor-oss
After=network.target

[Service]
Type=simple
User=${KONDUKTOR_USER} # user you ran the install script in
Group=${KONDUKTOR_USER}
WorkingDirectory=${REPO_DIR}
Environment=HOME=${KONDUKTOR_HOME} # $HOME by default
Environment=PATH=${HOME}/.local/bin:/usr/local/bin:/usr/bin:/bin
${EXTERNAL_URL:+Environment=KONDUKTOR_EXTERNAL_URL=${EXTERNAL_URL}} # EXTERNAL_URL is set to your public IP or the configured domain name
Environment=KONDUKTOR_UI_DIR=${REPO_DIR}/ui/dist # REPO_DIR is $HOME/konduktor-oss by default
ExecStart=${KONDUKTOR_SERVER_BIN} start --host 127.0.0.1 --port 8080 # looks for the konduktor-server binary on the PATH else falls back to $HOME/.local/bin/konduktor-server
Restart=on-failure
RestartSec=5
KillMode=process
StandardOutput=journal
StandardError=journal
SyslogIdentifier=konduktor

# Hardening
NoNewPrivileges=true
ProtectSystem=strict
ReadWritePaths=${KONDUKTOR_HOME}/.konduktor ${KONDUKTOR_HOME}/.claude ${KONDUKTOR_HOME}/.local ${KONDUKTOR_HOME}/.cache /tmp

[Install]
WantedBy=multi-user.target