[Unit]
Description=Beszel Hub Service
After=network.target

[Service]
Type=simple
Restart=always
RestartSec=5
ExecStart=/usr/bin/beszel-hub serve --dir /var/lib/beszel-hub/data --http ${BESZEL_HUB_SERVE_HTTP} --https ${BESZEL_HUB_SERVE_HTTPS}
WorkingDirectory=/var/lib/beszel-hub
EnvironmentFile=/etc/beszel-hub/beszel-hub.env

User=beszel-hub
Group=beszel

# Security/sandboxing settings
KeyringMode=private
LockPersonality=yes
NoNewPrivileges=no
ProtectClock=yes
ProtectHome=read-only
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectSystem=full
RemoveIPC=yes
RestrictSUIDSGID=true
ReadWritePaths=/var/lib/beszel-hub

[Install]
WantedBy=multi-user.target