[Unit]
Description=Watch host cert for moments-api
Documentation=https://git.lair.cafe/grenade/architecture

[Path]
# Hostname is substituted at deploy time. step-ca rotates host certs every
# 24h; rustls reads them at process start, so the API must restart on
# rotation. Read-only public timeline — a few seconds of churn is fine.
PathChanged=/etc/pki/tls/misc/{{HOSTNAME}}.pem
Unit=moments-api-cert-reload.service

[Install]
WantedBy=multi-user.target