[Unit]
Description=FeatherDDNS - Lightweight Dynamic DNS Server
Documentation=https://git.nevets.tech/Steven/FeatherDDNS
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
User=featherddns
Group=featherddns
ExecStart=/usr/bin/featherddns
WorkingDirectory=/var/lib/featherddns
Restart=on-failure
RestartSec=5

# Security hardening
NoNewPrivileges=yes
ProtectSystem=strict
ProtectHome=yes
PrivateTmp=yes
PrivateDevices=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectControlGroups=yes
RestrictSUIDSGID=yes
RestrictNamespaces=yes

# Allow binding to privileged ports if needed (DNS uses 53)
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE

# Writable directories
ReadWritePaths=/var/lib/featherddns /var/log/featherddns

[Install]
WantedBy=multi-user.target