[Unit]
Description=Conduit Matrix Homeserver
After=network.target

[Service]
Type=simple
User=conduit
Group=conduit

WorkingDirectory=/opt/conduit
ExecStart=/opt/conduit/conduit

# Restart on failure
Restart=on-failure
RestartSec=5

# Resource limits
LimitNOFILE=65536

# Security hardening
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=/opt/conduit/data /opt/conduit/logs
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=true
LockPersonality=true

# Environment
Environment="RUST_LOG=info"
Environment="CONDUIT_CONFIG=/opt/conduit/conduit.toml"

[Install]
WantedBy=multi-user.target