[Unit]
Description=PHP Cloudlinux SSA Agent Service
After=network.target ssa-agent.socket
Requires=ssa-agent.socket

[Service]
Type=simple
Restart=on-failure
RestartSec=3
TimeoutSec=120s
LimitNOFILE=65535
# Headroom above ThreadPoolExecutor max_workers=50 (py/ssa/agent.py)
# plus helper threads and any short-lived xray children landing in the
# same cgroup. Memory ceiling stays enforced via MemoryMax/MemoryHigh.
TasksMax=512
MemoryMax=1G
MemoryHigh=768M

# Pin the BLAS / OpenMP backend behind numpy to a single thread. The daily
# routine's only BLAS call is np.corrcoef() on two 24-element vectors
# (decision_maker.py get_correlation, autotracer.py pass_by_density), so
# threading buys nothing — but an unpinned OpenBLAS spawns one worker per
# CPU on first use (dozens on shared-hosting boxes), which inflated the
# cgroup task count toward the old TasksMax=100 ceiling and added per-thread
# stack + glibc-arena memory against MemoryMax=1G. One thread is both
# correct and faster here (CLPRO-3118).
Environment=OPENBLAS_NUM_THREADS=1
Environment=OMP_NUM_THREADS=1

NoNewPrivileges=yes
CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_CHOWN CAP_SETUID CAP_SETGID
ProtectSystem=strict
# /var/cagefs exists only when the optional cagefs package is installed.
# Under ProtectSystem=strict every ReadWritePaths entry is bind-mounted into
# the service namespace, and a missing path aborts namespace setup, crash-
# looping the unit with 226/NAMESPACE. The '-' prefix skips the entry when
# the path is absent.
ReadWritePaths=/var/lve /var/log/clos_ssa /opt/alt /usr/share/clos_ssa /home -/var/cagefs
PrivateTmp=yes
RestrictNamespaces=yes
RestrictSUIDSGID=yes
PrivateDevices=yes
ProtectControlGroups=yes

ExecStart=/usr/sbin/cloudlinux-ssa-agent

[Install]
WantedBy=multi-user.target