[Unit]
Description=PoM Health Monitor
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
User=pom
Group=pom
EnvironmentFile=-/etc/pom/env
Environment=XDG_DATA_HOME=/var/lib
ExecStart=/usr/local/bin/pom serve --config /etc/pom/pom.toml
Restart=on-failure
RestartSec=10

# Security hardening
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
PrivateTmp=true
ReadOnlyPaths=/etc/pom
ReadWritePaths=/var/lib/pom
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=true
RestrictSUIDSGID=true
LockPersonality=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
SystemCallArchitectures=native
MemoryMax=256M

[Install]
WantedBy=multi-user.target