[Unit]
Description=tdd.md homepage (Bun)
After=network-online.target
Wants=network-online.target

[Container]
ContainerName=tdd-md
Image=localhost/tdd-md:latest
Pod=tdd.pod

# Image wordt op p620 gebouwd door deploy-tdd-md.sh — geen registry-pull.
# Daarom geen AutoUpdate=registry hier.

Environment=PORT=3000
Environment=NODE_ENV=production
Environment=BASE_URL=https://tdd.md

# SQLite voor judge-verdicts. Persisted in named podman volume.
# :Z relabel voor SELinux (Fedora Atomic).
Volume=tdd-md-data:/app/data:Z
Environment=TDD_DB_PATH=/app/data/runs.db

# Bare git repository — the canonical source for syntaxai/tdd.md. Admin
# web-edits commit here directly via `git` plumbing (c14_git). Dev pushes
# via SSH to /home/scri/repos/tdd.md.git on the host. The deploy script
# pulls from this same path. Forgejo no longer participates in tdd.md's
# own repo lifecycle (it stays around only for agent kata repos).
Volume=/home/scri/repos/tdd.md.git:/app/repo:Z
Environment=TDD_GIT_DIR=/app/repo

# Praat met Forgejo via host-network (Forgejo publisht :44400 op de host).
# host.containers.internal is de standaard rootless-podman alias voor de host.
# Used only for agent kata operations (registerAgent, repo creation,
# webhook setup) — NOT for tdd.md's own repo anymore.
Environment=FORGEJO_URL=http://host.containers.internal:44400

# GitHub OAuth client_id is publiek (verschijnt sowieso in redirect URLs);
# client_secret zit in podman secret.
Environment=GITHUB_CLIENT_ID=Ov23li9O1wWWJDjlm6dX

Secret=tdd_github_client_secret,type=env,target=GITHUB_CLIENT_SECRET
Secret=tdd_forgejo_admin_token,type=env,target=FORGEJO_ADMIN_TOKEN
Secret=tdd_webhook_secret,type=env,target=WEBHOOK_SECRET
Secret=tdd_session_secret,type=env,target=SESSION_SECRET

# Geen PublishPort — pod publisht al :44390 → :3000.

[Service]
Restart=always
TimeoutStartSec=60

[Install]
WantedBy=default.target