[Unit]
Description=FieldWitness
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
User=fieldwitness
Group=fieldwitness
WorkingDirectory=/home/fieldwitness
Environment=PATH=/opt/fieldwitness-env/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Environment=FIELDWITNESS_DATA_DIR=/home/fieldwitness/.fwmetadata
ExecStartPre=/opt/fieldwitness-env/bin/fieldwitness init --no-identity --no-channel
ExecStart=/opt/fieldwitness-env/bin/fieldwitness serve --host 0.0.0.0 --no-https
Restart=on-failure
RestartSec=5

# Security hardening
NoNewPrivileges=yes
ProtectSystem=strict
ProtectHome=read-only
ReadWritePaths=/home/fieldwitness/.fwmetadata
PrivateTmp=yes
ProtectKernelTunables=yes
ProtectControlGroups=yes

[Install]
WantedBy=multi-user.target