[Unit]
Description=Cloudflare Tunnel Rotation - Credential renewal cycle
Documentation=https://vaultmesh.org/docs/cloudflare-binding
After=network-online.target

[Service]
Type=oneshot
User=cloudflare-mesh
Group=cloudflare-mesh

# Environment
EnvironmentFile=/etc/cloudflare-mesh/environment
Environment=PYTHONUNBUFFERED=1

# Execution
ExecStart=/usr/bin/python3 /opt/cloudflare-mesh/scripts/tunnel-rotation-scheduler.py \
    --account-id ${CLOUDFLARE_ACCOUNT_ID} \
    --zone-id ${CLOUDFLARE_ZONE_ID} \
    --max-age 90

# Security hardening
NoNewPrivileges=yes
PrivateTmp=yes
ProtectSystem=strict
ProtectHome=yes
ReadOnlyPaths=/
ReadWritePaths=/var/lib/cloudflare-mesh
ReadWritePaths=/var/log/cloudflare-mesh
CapabilityBoundingSet=
AmbientCapabilities=

# Logging
StandardOutput=journal
StandardError=journal
SyslogIdentifier=tunnel-rotation