[Unit]
Description=blind_chess server (Fastify + ws)
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
User=blindchess
Group=blindchess
WorkingDirectory=/opt/blind-chess
ExecStart=/usr/bin/node /opt/blind-chess/server/dist/server.js
Environment=NODE_ENV=production
Environment=PORT=3000
Environment=HOST=0.0.0.0
Environment=STATIC_DIR=/opt/blind-chess/client/dist
Environment=PUBLIC_BASE=https://chess.sethpc.xyz
Environment=LOG_LEVEL=info
Restart=always
RestartSec=2s
StandardOutput=journal
StandardError=journal

# Hardening
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=/opt/blind-chess

[Install]
WantedBy=multi-user.target