[Unit]
Description=Cloudflare Drift Guardian - Real-time configuration monitor
Documentation=https://vaultmesh.org/docs/cloudflare-binding
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
User=cloudflare-mesh
Group=cloudflare-mesh

# Environment
EnvironmentFile=/etc/cloudflare-mesh/environment
Environment=PYTHONUNBUFFERED=1

# Execution
ExecStart=/usr/bin/python3 /opt/cloudflare-mesh/scripts/drift-guardian.py \
    --zone-id ${CLOUDFLARE_ZONE_ID} \
    --account-id ${CLOUDFLARE_ACCOUNT_ID} \
    --interval 60 \
    --auto-remediate

# Restart policy
Restart=always
RestartSec=30
StartLimitBurst=5
StartLimitIntervalSec=300

# Security hardening
NoNewPrivileges=yes
PrivateTmp=yes
ProtectSystem=strict
ProtectHome=yes
ReadOnlyPaths=/
ReadWritePaths=/var/lib/cloudflare-mesh
ReadWritePaths=/var/log/cloudflare-mesh
CapabilityBoundingSet=
AmbientCapabilities=
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectControlGroups=yes
RestrictSUIDSGID=yes
RestrictNamespaces=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
SystemCallFilter=@system-service
SystemCallArchitectures=native

# Logging
StandardOutput=journal
StandardError=journal
SyslogIdentifier=drift-guardian

[Install]
WantedBy=multi-user.target