[Unit]
Description=GoTermix — web terminal
Documentation=https://ghb.freebede.com/nahakubuilder/gotermix
After=network.target
Wants=network.target

[Service]
Type=simple

# Run as a dedicated unprivileged user.
# Create it first:
#   useradd --system --no-create-home --shell /sbin/nologin gotermix
User=gotermix
Group=gotermix

# Working directory — binary, gws-creds.json and gotermix.log live here.
WorkingDirectory=/opt/gotermix

# Absolute path to the binary.
ExecStart=/opt/gotermix/gotermix -addr 0.0.0.0:5000

# Restart policy
Restart=on-failure
RestartSec=5s

# ── Hardening ────────────────────────────────────────────────────────
# No new privileges beyond what the service user already has.
NoNewPrivileges=true

# Private /tmp — isolates temp files from other services.
PrivateTmp=true

# Read-only access to the real /usr, /boot, /etc.
ProtectSystem=strict

# Allow the service to write its own data directory.
ReadWritePaths=/opt/gotermix

# Hide /home and /root from the process.
ProtectHome=true

# Prevent loading kernel modules.
ProtectKernelModules=true

# Prevent writing to kernel tunables.
ProtectKernelTunables=true

# Prevent altering control groups.
ProtectControlGroups=true

# Allow only necessary syscall groups.
SystemCallFilter=@system-service
SystemCallErrorNumber=EPERM

# Restrict address families to IPv4/IPv6 (needed for HTTP listener + WebSocket).
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX

# Deny ptrace and other debugging interfaces.
RestrictRealtime=true
LockPersonality=true
MemoryDenyWriteExecute=false
# Note: MemoryDenyWriteExecute left off — Go runtime needs JIT-style writes.

[Install]
WantedBy=multi-user.target