[Unit]
Description=nginx-logtail collector
Documentation=man:nginx-logtail(8)
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
# Group=www-data lets the collector read nginx access logs that are group-readable
# by www-data. Override with a drop-in if your nginx uses a different group.
User=_logtail
Group=www-data
EnvironmentFile=-/etc/default/nginx-logtail
ExecStart=/usr/sbin/nginx-logtail-collector $COLLECTOR_ARGS
Restart=on-failure
RestartSec=5

# Basic hardening — override with a drop-in if your deployment needs more.
ProtectSystem=strict
ProtectHome=yes
PrivateTmp=yes
NoNewPrivileges=yes
ReadOnlyPaths=/var/log

[Install]
WantedBy=multi-user.target