[Unit]
Description=mcdbus D-Bus MCP server
Documentation=https://github.com/supported-systems/mcdbus
After=dbus.service

[Service]
Type=simple
ExecStart=/usr/bin/env mcdbus

# --- Identity ---
# Ephemeral user, no persistent UID, no home directory.
# If you need supplementary groups (e.g. for polkit rules), switch
# to User=mcdbus with a real system account instead.
DynamicUser=yes

# --- Filesystem ---
ProtectSystem=strict
ProtectHome=yes
PrivateTmp=yes
PrivateDevices=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes
ProtectControlGroups=yes
ProtectHostname=yes
ProtectClock=yes
ProtectProc=invisible
ProcSubset=pid
ReadWritePaths=

# --- Network ---
# D-Bus uses AF_UNIX only. Block everything else.
RestrictAddressFamilies=AF_UNIX
PrivateNetwork=no

# --- Capabilities ---
# Empty = drop all capabilities.
CapabilityBoundingSet=
AmbientCapabilities=
NoNewPrivileges=yes

# --- Syscalls ---
SystemCallFilter=@system-service
SystemCallArchitectures=native
SystemCallErrorNumber=EPERM

# --- Memory ---
MemoryDenyWriteExecute=yes
LockPersonality=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
RemoveIPC=yes

# --- Namespaces ---
RestrictNamespaces=yes

# --- Environment ---
Environment=MCDBUS_TIMEOUT=30
# Uncomment to require user confirmation for system bus calls:
# Environment=MCDBUS_REQUIRE_ELICITATION=1

# --- Logging ---
StandardOutput=journal
StandardError=journal
SyslogIdentifier=mcdbus

# --- Resource limits ---
MemoryMax=256M
TasksMax=64

# --- Restart ---
Restart=on-failure
RestartSec=5

[Install]
WantedBy=default.target