[Unit]
Description=JA4 client fingerprinting daemon
Documentation=https://github.com/your-repo/ja4sentinel
After=network.target
Wants=network-online.target

[Service]
Type=simple
User=ja4sentinel
Group=ja4sentinel
WorkingDirectory=/var/lib/ja4sentinel
ExecStart=/usr/bin/ja4sentinel --config /etc/ja4sentinel/config.yml
Restart=on-failure
RestartSec=5
Environment=JA4SENTINEL_LOG_LEVEL=info

# Security hardening
NoNewPrivileges=yes
ProtectSystem=full
ProtectHome=yes
PrivateTmp=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectControlGroups=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
MemoryDenyWriteExecute=yes
LockPersonality=yes

# Capabilities for packet capture
AmbientCapabilities=CAP_NET_RAW CAP_NET_ADMIN
CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN

# Resource limits
LimitNOFILE=65536
LimitNPROC=64

[Install]
WantedBy=multi-user.target