[Unit]
Description=Metacircular Identity and Access System
After=network.target

[Service]
Type=simple
User=mcias
Group=mcias
WorkingDirectory=/srv/mcias
ExecStart=/usr/local/bin/mcias/mcias server --db /srv/mcias/mcias.db
Restart=on-failure
RestartSec=5
StandardOutput=journal
StandardError=journal
SyslogIdentifier=mcias

# Security settings
PrivateTmp=true
ProtectSystem=full
ProtectHome=true
NoNewPrivileges=true
ReadWritePaths=/srv/mcias

[Install]
WantedBy=multi-user.target