[Unit]
Description=Vigilar Home Security System
Documentation=https://github.com/vigilar/vigilar
After=network.target mosquitto.service
Requires=mosquitto.service
Wants=nut-monitor.service

[Service]
Type=simple
User=vigilar
Group=vigilar

Environment=VIGILAR_CONFIG=/etc/vigilar/vigilar.toml
ExecStart=/opt/vigilar/venv/bin/vigilar start --config /etc/vigilar/vigilar.toml

Restart=on-failure
RestartSec=10
WatchdogSec=120

# Security hardening
NoNewPrivileges=yes
ProtectSystem=strict
ProtectHome=yes
PrivateTmp=yes
PrivateDevices=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectKernelLogs=yes
ProtectControlGroups=yes
ProtectClock=yes
ProtectHostname=yes
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
LockPersonality=yes
MemoryDenyWriteExecute=no
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources

# Allow write to data directories
ReadWritePaths=/var/vigilar/data /var/vigilar/recordings /var/vigilar/hls

# Read-only access to config and secrets
ReadOnlyPaths=/etc/vigilar

# Logging
StandardOutput=journal
StandardError=journal
SyslogIdentifier=vigilar

[Install]
WantedBy=multi-user.target