[Unit]
Description=blind_chess server — local LAN instance (chess.local)
Documentation=https://git.sethpc.xyz/Seth/blind_chess
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
User=blindchess
Group=blindchess
WorkingDirectory=/opt/blind-chess/server
ExecStart=/usr/bin/node /opt/blind-chess/server/dist/server.js
Environment=NODE_ENV=production
Environment=PORT=80
Environment=HOST=0.0.0.0
Environment=STATIC_DIR=/opt/blind-chess/client/dist
Environment=PUBLIC_BASE=http://chess.local
Environment=LOG_LEVEL=info
Restart=always
RestartSec=2s
StandardOutput=journal
StandardError=journal

# Bind privileged port 80 as a non-root user
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE

# Hardening
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=/opt/blind-chess

[Install]
WantedBy=multi-user.target