[Unit]
Description=restic-manager agent
Documentation=https://gitea.dcglab.co.uk/steve/restic-manager
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
ExecStart=/usr/local/bin/restic-manager-agent -config /etc/restic-manager/agent.yaml
Restart=always
RestartSec=5

# Run as a dedicated unprivileged user; the install script creates it.
User=restic-manager-agent
Group=restic-manager-agent

# The agent reads its config and writes a small state file there.
# Anything else is read-only.
ReadWritePaths=/etc/restic-manager /var/lib/restic-manager

# Hardening — restic itself needs filesystem read access to whatever
# paths it's backing up; we don't lock that down here. But everything
# else gets the standard systemd sandboxing toggles.
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=read-only
ProtectHostname=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
ProtectClock=true
RestrictRealtime=true
RestrictSUIDSGID=true
RestrictNamespaces=true
LockPersonality=true
MemoryDenyWriteExecute=true
SystemCallArchitectures=native

[Install]
WantedBy=multi-user.target