[Unit]
Description=MNW CLI SSH Server
Documentation=https://makenot.work/docs
After=network.target makenotwork.service
Wants=network-online.target

[Service]
Type=simple
User=mnw-cli
Group=mnw-cli
WorkingDirectory=/opt/mnw-cli
ExecStart=/opt/mnw-cli/mnw-cli
Restart=always
RestartSec=5

# Environment
EnvironmentFile=/opt/mnw-cli/.env
Environment=HOME=/opt/mnw-cli

# Security hardening
# NoNewPrivileges and RestrictSUIDSGID must be false because mnw-cli
# spawns git operations via sudo -u git (requires setuid escalation).
NoNewPrivileges=false
ProtectSystem=strict
ProtectHome=true
PrivateTmp=true
ReadWritePaths=/opt/mnw-cli /var/lib/mnw-cli /var/lib/mnw
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=false
LockPersonality=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
SystemCallArchitectures=native

# Resource limits
LimitNOFILE=4096
MemoryMax=512M
TasksMax=512

# Logging
StandardOutput=journal
StandardError=journal
SyslogIdentifier=mnw-cli

[Install]
WantedBy=multi-user.target