[Unit]
Description=Metacircular Identity and Access System
After=network.target

[Service]
Type=simple
User=mcias
Group=mcias
WorkingDirectory=/opt/mcias
ExecStart=/opt/mcias/mcias server --db /opt/mcias/mcias.db
Restart=on-failure
RestartSec=5
StandardOutput=journal
StandardError=journal
SyslogIdentifier=mcias

# Security settings
PrivateTmp=true
ProtectSystem=full
ProtectHome=true
NoNewPrivileges=true
ReadWritePaths=/opt/mcias

[Install]
WantedBy=multi-user.target