[Unit]
Description=Superball Thrower Daemon
Documentation=https://github.com/superball/thrower
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
User=superball-thrower
Group=superball-thrower
WorkingDirectory=/opt/superball-thrower
ExecStart=/usr/local/bin/node daemon.js start
Environment=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Restart=always
RestartSec=10
StandardOutput=journal
StandardError=journal
SyslogIdentifier=superball-thrower

# Security settings
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=/var/log/superball-thrower /opt/superball-thrower
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
RestrictRealtime=true
RestrictSUIDSGID=true
LockPersonality=true
# MemoryDenyWriteExecute=true  # Disabled - conflicts with Node.js JIT compilation
RestrictNamespaces=true
SystemCallFilter=@system-service
SystemCallErrorNumber=EPERM

# Resource limits
LimitNOFILE=65536
LimitNPROC=4096

# Environment
Environment=NODE_ENV=production
Environment=NODE_OPTIONS=--max-old-space-size=512

[Install]
WantedBy=multi-user.target