[Unit]
Description=stable-diffusion.cpp HTTP server (OpenAI + A1111-SDAPI + native API)
Documentation=https://github.com/leejet/stable-diffusion.cpp
After=network-online.target
Wants=network-online.target

[Service]
Type=exec
User=sd-cpp
Group=sd-cpp
EnvironmentFile=/etc/sd-cpp/sd-server.conf

# Binary is installed to /usr/bin/sd-server by cmake (examples/server target).
# CLI flags verified from upstream source (examples/server/runtime.cpp):
#   -l / --listen-ip   listen address  (default 127.0.0.1)
#   --listen-port      listen port     (default 1234)
#   -m / --model       model path
#   -t / --threads     CPU thread count
ExecStart=/usr/bin/sd-server \
    --model ${SD_MODEL} \
    --listen-ip ${SD_HOST} \
    --listen-port ${SD_PORT} \
    --threads ${SD_THREADS} \
    ${SD_EXTRA_ARGS}

Restart=on-failure
RestartSec=3

# Models live under /var/lib/sd-cpp/models (StateDirectory)
StateDirectory=sd-cpp
WorkingDirectory=/var/lib/sd-cpp

# --- Hardening ---
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
PrivateTmp=true
ProtectKernelTunables=true
ProtectKernelModules=true
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
SystemCallFilter=@system-service

# NOTE: systemd cannot expand environment variables in ReadWritePaths,
# ReadOnlyPaths, or StateDirectory directives.  If your models live OUTSIDE
# /var/lib/sd-cpp (e.g. under /home or another mount), you must create a
# drop-in override granting the appropriate ReadOnlyPaths= to that location.
# ProtectHome=true may also need to be overridden in that case.
#
# Example drop-in:
#   /etc/systemd/system/sd-server.service.d/models-path.conf
#   [Service]
#   ProtectHome=false
#   ReadOnlyPaths=/home/models

[Install]
WantedBy=multi-user.target