[Unit]
Description=StellaOps Zastava Agent - Container Runtime Monitor
Documentation=https://docs.stellaops.org/zastava/agent/
After=network-online.target docker.service containerd.service
Wants=network-online.target
Requires=docker.service

[Service]
Type=notify
ExecStart=/opt/stellaops/zastava-agent/StellaOps.Zastava.Agent
WorkingDirectory=/opt/stellaops/zastava-agent
Restart=always
RestartSec=5

# Environment configuration
EnvironmentFile=-/etc/stellaops/zastava-agent.env
Environment=DOTNET_ENVIRONMENT=Production
Environment=ASPNETCORE_ENVIRONMENT=Production

# User and permissions
User=zastava-agent
Group=docker

# Security hardening
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
PrivateTmp=true
PrivateDevices=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
RestrictRealtime=true
RestrictSUIDSGID=true

# Allow read access to Docker socket
ReadWritePaths=/var/run/docker.sock
ReadWritePaths=/var/lib/zastava-agent

# Capabilities
CapabilityBoundingSet=
AmbientCapabilities=

# Resource limits
LimitNOFILE=65536
LimitNPROC=4096
MemoryMax=512M

# Logging
StandardOutput=journal
StandardError=journal
SyslogIdentifier=zastava-agent

# Watchdog (5 minute timeout)
WatchdogSec=300

[Install]
WantedBy=multi-user.target