[Unit]
Description=JA4 client fingerprinting daemon
Documentation=https://github.com/your-repo/ja4sentinel
After=network.target
Wants=network-online.target

[Service]
Type=notify
User=root
Group=root
WorkingDirectory=/var/lib/ja4sentinel
ExecStart=/usr/bin/ja4sentinel --config /etc/ja4sentinel/config.yml
Restart=on-failure
RestartSec=5
WatchdogSec=30
NotifyAccess=main
Environment=JA4SENTINEL_LOG_LEVEL=info

# Security hardening (compatible with root for packet capture)
ProtectSystem=strict
ProtectHome=yes
PrivateTmp=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectControlGroups=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
LockPersonality=yes
ReadWritePaths=/var/lib/ja4sentinel /var/log/ja4sentinel

# Capabilities for packet capture (inherited by root)
AmbientCapabilities=CAP_NET_RAW CAP_NET_ADMIN
CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN

# Resource limits
LimitNOFILE=65536
LimitNPROC=64

[Install]
WantedBy=multi-user.target