[Unit]
Description=ik_llama.cpp inference server (OpenAI-compatible HTTP API)
Documentation=https://github.com/ikawrakow/ik_llama.cpp
After=network-online.target
Wants=network-online.target

[Service]
Type=exec
User=ik-llama
Group=ik-llama
EnvironmentFile=/etc/ik-llama/ik-llama-server.conf

# Binary is ik_-prefixed to coexist with upstream llama.cpp.
ExecStart=/usr/bin/ik_llama-server \
    --model ${LLAMA_MODEL} \
    --host ${LLAMA_HOST} \
    --port ${LLAMA_PORT} \
    --threads ${LLAMA_THREADS} \
    --ctx-size ${LLAMA_CTX} \
    $LLAMA_EXTRA_ARGS

Restart=on-failure
RestartSec=3

# Models live under /var/lib/ik-llama/models (StateDirectory)
StateDirectory=ik-llama
WorkingDirectory=/var/lib/ik-llama

# --- Hardening ---
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
PrivateTmp=true
ProtectKernelTunables=true
ProtectKernelModules=true
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
SystemCallFilter=@system-service

# NOTE: systemd cannot expand environment variables in ReadWritePaths,
# ReadOnlyPaths, or StateDirectory directives.  If your models live OUTSIDE
# /var/lib/ik-llama (e.g. under /home or another mount), you must create a
# drop-in override granting the appropriate ReadWritePaths= or ReadOnlyPaths=
# to that location.  ProtectHome=true may also need to be overridden in that
# case.  Example drop-in:
#
#   /etc/systemd/system/ik-llama-server.service.d/models-path.conf
#   [Service]
#   ProtectHome=false
#   ReadOnlyPaths=/home/models

[Install]
WantedBy=multi-user.target