# ─────────────────────────────────────────────────────────────
# Systemd unit for project-bifrost.
#
# Install to: /etc/systemd/system/fenja.service
#
#   sudo cp deploy/fenja.service /etc/systemd/system/fenja.service
#   sudo systemctl daemon-reload
#   sudo systemctl enable --now fenja
#   sudo systemctl status fenja
#   sudo journalctl -u fenja -f            # live tail of logs
# ─────────────────────────────────────────────────────────────

[Unit]
Description=Fenja AI (project-bifrost)
After=network.target

[Service]
Type=simple
User=fenja
Group=fenja
WorkingDirectory=/opt/fenja
EnvironmentFile=/opt/fenja/.env
ExecStart=/usr/bin/node server.js
Restart=on-failure
RestartSec=5

# stdout / stderr → journald
StandardOutput=journal
StandardError=journal
SyslogIdentifier=fenja

# ─── Hardening ───
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
RestrictSUIDSGID=true
LockPersonality=true
# Only these paths are writable
ReadWritePaths=/opt/fenja/data

[Install]
WantedBy=multi-user.target