[Unit]
Description=Numa DNS — DNS you own, everywhere you go
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
ExecStart={{exe_path}}
Restart=always
RestartSec=2

User=numa
Group=numa

AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE

# StateDirectory maps to crate::data_dir() default on Linux (/var/lib/numa).
# systemd auto-creates + chowns on every start, fixing legacy root-owned trees.
StateDirectory=numa
StateDirectoryMode=0750
ConfigurationDirectory=numa
ConfigurationDirectoryMode=0755

# Sandboxing — conservative set known to work with Rust network daemons.
# Aggressive hardening (MemoryDenyWriteExecute, SystemCallFilter, seccomp
# allow-lists) can be layered on once tested in isolation.
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
PrivateTmp=true
PrivateDevices=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
RestrictRealtime=true
RestrictSUIDSGID=true
# AF_NETLINK for interface enumeration on network changes
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK

StandardOutput=journal
StandardError=journal
SyslogIdentifier=numa

[Install]
WantedBy=multi-user.target