[Unit]
Description=OpenFang Agent OS Daemon
Documentation=https://github.com/openfang-ai/openfang
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
User=openfang
Group=openfang
ExecStart=/usr/local/bin/openfang start
Restart=on-failure
RestartSec=5
TimeoutStopSec=30

# Environment
EnvironmentFile=-/etc/openfang/env
WorkingDirectory=/var/lib/openfang

# Security hardening
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=/var/lib/openfang
PrivateTmp=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
RestrictSUIDSGID=true
MemoryDenyWriteExecute=false
RestrictRealtime=true

# Resource limits
LimitNOFILE=65536
LimitNPROC=4096

[Install]
WantedBy=multi-user.target