[Unit]
Description=MCIAS Authentication Server
Documentation=man:mciassrv(1)
After=network.target
# Require network to be available before starting.
# Remove if you bind only to loopback.

[Service]
Type=simple
User=mcias
Group=mcias

# Configuration and secrets.
# /etc/mcias/env must contain MCIAS_MASTER_PASSPHRASE=<passphrase>
# See dist/mcias.env.example for the template.
EnvironmentFile=/etc/mcias/env

ExecStart=/usr/local/bin/mciassrv -config /etc/mcias/mcias.conf
Restart=on-failure
RestartSec=5

# File descriptor limit. mciassrv keeps one fd per open connection plus
# the SQLite WAL files; 65536 is generous headroom for a personal server.
LimitNOFILE=65536

# Sandboxing. mcias does not need capabilities; it listens on ports > 1024.
# If you need port 443 or 8443 on a privileged port (< 1024), either:
#   a) use a reverse proxy (recommended), or
#   b) grant CAP_NET_BIND_SERVICE with: AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=

# Filesystem restrictions.
# mciassrv reads /etc/mcias (config, TLS cert/key) and writes /var/lib/mcias (DB).
ProtectSystem=strict
ProtectHome=true
PrivateTmp=true
ReadWritePaths=/var/lib/mcias

# Additional hardening.
NoNewPrivileges=true
PrivateDevices=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
RestrictNamespaces=true
RestrictRealtime=true
LockPersonality=true
MemoryDenyWriteExecute=true

[Install]
WantedBy=multi-user.target