[Unit]
Description=furt Multi-Tenant API Gateway (Security-Hardened)
After=network.target

[Service]
Type=forking
User=furt
Group=furt
ExecStart=/usr/local/share/furt/scripts/start.sh
PIDFile=/var/run/furt/furt.pid
WorkingDirectory=/usr/local/share/furt
Restart=always
RestartSec=5
StandardOutput=journal
StandardError=journal

# === SECURITY HARDENING ===

# Filesystem Protection
ProtectSystem=strict
ReadWritePaths=/var/run/furt /var/log/furt
ProtectHome=yes

# Process Hardening
NoNewPrivileges=yes
PrivateTmp=yes

# Network Restriction
RestrictAddressFamilies=AF_INET

[Install]
WantedBy=multi-user.target