[Unit]
Description=GoTermix — web terminal
Documentation=https://ghb.freebede.com/nahakubuilder/gotermix
After=network.target
Wants=network.target

[Service]
Type=simple

# ── User ─────────────────────────────────────────────────────────────
# Option A (default): run as your own user so the terminal inherits
# your permissions, sudo rights, and home directory.
# Replace "youruser" with the actual username.
User=youruser
Group=youruser

# Option B: dedicated unprivileged system user (no sudo inside terminal).
# Create first: useradd --system --no-create-home --shell /sbin/nologin gotermix
# Then swap the User/Group lines above and remove NoNewPrivileges below.

# Working directory — binary, gws-creds.json and gotermix.log live here.
WorkingDirectory=/opt/gotermix

# Absolute path to the binary.
ExecStart=/opt/gotermix/gotermix -addr 0.0.0.0:5000

# Restart policy
Restart=on-failure
RestartSec=5s

# Kernel hardening — safe for both options.
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectControlGroups=true

# Restrict address families to IPv4/IPv6/Unix sockets.
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX

RestrictRealtime=true
LockPersonality=true

[Install]
WantedBy=multi-user.target