[Unit]
Description=SooSeF Security Fieldkit
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
User=soosef
Group=soosef
WorkingDirectory=/home/soosef
Environment=PATH=/opt/soosef-env/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Environment=SOOSEF_DATA_DIR=/home/soosef/.soosef
ExecStartPre=/opt/soosef-env/bin/soosef init --no-identity --no-channel
ExecStart=/opt/soosef-env/bin/soosef serve --host 0.0.0.0 --no-https
Restart=on-failure
RestartSec=5

# Security hardening
NoNewPrivileges=yes
ProtectSystem=strict
ProtectHome=read-only
ReadWritePaths=/home/soosef/.soosef
PrivateTmp=yes
ProtectKernelTunables=yes
ProtectControlGroups=yes

[Install]
WantedBy=multi-user.target