[Unit]
Description=BetterGrow Embed gateway
Wants=network-online.target
After=network-online.target bluetooth.service ModemManager.service

[Service]
Type=simple
User=root
Group=root
Environment=HOME=/home/delphi
Environment=XDG_CONFIG_HOME=/home/delphi/.config
Environment=RUST_LOG=info
ExecStart=/usr/local/bin/bettergrow-embed
Restart=always
RestartSec=5
TimeoutStopSec=20
KillSignal=SIGTERM
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=full
ProtectHome=read-only
ReadWritePaths=/etc/delphi
SupplementaryGroups=dialout
RestrictSUIDSGID=true
LockPersonality=true
MemoryDenyWriteExecute=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
RestrictRealtime=true
SystemCallArchitectures=native
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
DevicePolicy=closed
DeviceAllow=/dev/null rw
DeviceAllow=/dev/zero r
DeviceAllow=/dev/random r
DeviceAllow=/dev/urandom r
DeviceAllow=/dev/tty rw
DeviceAllow=/dev/ttyUSB1 rw
DeviceAllow=/dev/ttyUSB* rw
DeviceAllow=/dev/ttyACM0 rw
DeviceAllow=/dev/ttyACM* rw
DeviceAllow=/dev/ttyAMA* rw
DeviceAllow=/dev/rfkill rw
CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW
AmbientCapabilities=CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW

[Install]
WantedBy=multi-user.target