[Unit]
Description=NIP-05 API
Documentation=https://github.com/noderunners/nip05api
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
User=nip05
Group=nip05
WorkingDirectory=/opt/nip05api
EnvironmentFile=/opt/nip05api/.env
ExecStart=/opt/nip05api/bin/nip05api
Restart=on-failure
RestartSec=5

# Hardening
NoNewPrivileges=true
PrivateTmp=true
PrivateDevices=true
ProtectSystem=strict
ProtectHome=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
ReadWritePaths=/opt/nip05api/.data
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=true
RestrictRealtime=true
LockPersonality=true
MemoryDenyWriteExecute=true
SystemCallArchitectures=native
CapabilityBoundingSet=
AmbientCapabilities=

# Limits
LimitNOFILE=65536
TimeoutStopSec=45

# Logging to stdout/stderr → journald
StandardOutput=journal
StandardError=journal

[Install]
WantedBy=multi-user.target