[Unit]
Description=PyGuardian - Linux Server Protection System
Documentation=https://github.com/your-org/pyguardian
After=network.target network-online.target
Wants=network-online.target
RequiresMountsFor=/var/log /var/lib

[Service]
Type=exec
User=root
Group=root

# Рабочая директория
WorkingDirectory=/opt/pyguardian

# Команда запуска
ExecStart=/usr/bin/python3 /opt/pyguardian/main.py /opt/pyguardian/config/config.yaml

# Перезапуск при падении
Restart=always
RestartSec=10
StartLimitInterval=0

# Переменные окружения
Environment=PYTHONPATH=/opt/pyguardian
Environment=PYTHONUNBUFFERED=1

# Ограничения ресурсов
MemoryLimit=256M
TasksMax=50

# Безопасность
NoNewPrivileges=false
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=/var/log /var/lib/pyguardian /tmp
PrivateTmp=true
PrivateDevices=false
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true

# Capabilities для работы с firewall
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW CAP_DAC_READ_SEARCH
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW CAP_DAC_READ_SEARCH

# Стандартные потоки
StandardOutput=journal
StandardError=journal
SyslogIdentifier=pyguardian

# Graceful shutdown
KillMode=mixed
KillSignal=SIGTERM
TimeoutStopSec=30

[Install]
WantedBy=multi-user.target