[Unit]
# unibus membershipd — cluster node (issue 0006g).
#
# One unit, parameterized per node by /opt/unibus/cluster.env (generated by
# deploy-cluster.sh): NODE_NAME, ROUTES and the cert paths differ per node, the
# rest of the posture (enforce + per-subject ACL + TLS + --store kv) is identical
# on every node, which is the homogeneous posture a secure cluster requires
# (audit 0008 N1).
Description=unibus membershipd (cluster node)
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
WorkingDirectory=/opt/unibus
EnvironmentFile=/opt/unibus/cluster.env
# The route password comes from a FILE referenced by ${CLUSTER_PASS_FILE}, never
# from argv (audit 0008 N1-low). The peer --routes carry no userinfo; membershipd
# injects the credentials from the file/user.
ExecStart=/opt/unibus/membershipd \
  --bind 0.0.0.0 \
  --bus-auth enforce \
  --http-port ${HTTP_PORT} \
  --nats-port ${NATS_CLIENT_PORT} \
  --tls-cert ${TLS_CERT} \
  --tls-key ${TLS_KEY} \
  --cluster-name ${CLUSTER_NAME} \
  --server-name ${NODE_NAME} \
  --cluster-port ${NATS_ROUTE_PORT} \
  --routes ${ROUTES} \
  --cluster-user ${CLUSTER_USER} \
  --cluster-pass-file ${CLUSTER_PASS_FILE} \
  --route-tls-cert ${ROUTE_TLS_CERT} \
  --route-tls-key ${ROUTE_TLS_KEY} \
  --route-tls-ca ${ROUTE_TLS_CA} \
  --store kv \
  --kv-replicas ${KV_REPLICAS}
# Restart=always (NOT on-failure): a clean SIGTERM exits success, and on-failure
# would then NOT restart, leaving the node silently dead (see function_tags.md).
Restart=always
RestartSec=2
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target