[Unit]
Description=Database Cluster Backup
Documentation=https://github.com/PlusOne/dbbackup
After=network-online.target postgresql.service mysql.service mariadb.service
Wants=network-online.target

[Service]
Type=oneshot
User={{.User}}
Group={{.Group}}

# Security hardening
NoNewPrivileges=yes
ProtectSystem=strict
ProtectHome=read-only
PrivateTmp=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectControlGroups=yes
RestrictSUIDSGID=yes
RestrictRealtime=yes
LockPersonality=yes
RemoveIPC=yes
CapabilityBoundingSet=
AmbientCapabilities=

# Directories
ReadWritePaths={{.BackupDir}} /var/lib/dbbackup /var/log/dbbackup

# Network access for cloud uploads
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6

# Environment
EnvironmentFile=-/etc/dbbackup/env.d/cluster.conf

# Execution - cluster backup (all databases)
ExecStart={{.BinaryPath}} backup cluster --config {{.ConfigPath}}
TimeoutStartSec={{.TimeoutSeconds}}

# Post-backup metrics export
ExecStopPost=-{{.BinaryPath}} metrics export --instance cluster --output /var/lib/dbbackup/metrics/cluster.prom

# OOM protection for large backups
OOMScoreAdjust=-500

[Install]
WantedBy=multi-user.target