[Unit]
Description=QR Code Generation Server (ISO 18004)
Documentation=https://github.com/your-org/server18004
After=network.target
Wants=network-online.target

[Service]
Type=simple
User=qrserver
Group=qrserver

# Binary location (adjust after cargo build --release)
ExecStart=/usr/local/bin/server18004 \
    --config-path /etc/server18004/server.conf \
    --domains-path /etc/server18004/domains.conf

# Restart policy
Restart=on-failure
RestartSec=5
StartLimitIntervalSec=60
StartLimitBurst=5

# Environment
Environment=RUST_LOG=info
# Uncomment for debug logging:
# Environment=RUST_LOG=debug

# Security hardening
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
PrivateTmp=true
PrivateDevices=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
RestrictSUIDSGID=true
MemoryDenyWriteExecute=true
LockPersonality=true
RestrictRealtime=true
RestrictNamespaces=true

# Allow writing to config directory (for domain persistence)
ReadWritePaths=/etc/server18004

# Resource limits
LimitNOFILE=65536
LimitNPROC=4096

# Logging
StandardOutput=journal
StandardError=journal
SyslogIdentifier=server18004

[Install]
WantedBy=multi-user.target