[Unit]
Description=Watchdog Privacy Analytics
Documentation=https://github.com/notashelf/watchdog
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
User=watchdog
Group=watchdog

ExecStart=watchdog -config /etc/watchdog/config.yaml

Restart=on-failure
RestartSec=5s

# State directory for HLL persistence
StateDirectory=watchdog
WorkingDirectory=/var/lib/watchdog

# Security hardening
NoNewPrivileges=true
PrivateTmp=true

# File system protections
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=/var/lib/watchdog

# Capabilities
AmbientCapabilities=
CapabilityBoundingSet=

# Sandboxing
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
RestrictNamespaces=true
LockPersonality=true
RestrictRealtime=true
RestrictSUIDSGID=true
RemoveIPC=true
PrivateMounts=true

# System call filtering
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources
SystemCallErrorNumber=EPERM
SystemCallArchitectures=native

[Install]
WantedBy=multi-user.target