[Unit]
Description=Kernos MCP Server
After=network.target

[Service]
Type=simple
User=nobody
Group=nogroup
WorkingDirectory=/srv/kernos
ExecStart=/srv/kernos/.venv/bin/kernos
EnvironmentFile=/srv/kernos/.env
Restart=on-failure
RestartSec=5

# Security hardening
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=read-only
PrivateTmp=false
ReadWritePaths=/

[Install]
WantedBy=multi-user.target