[Unit]
Description=vmsig VM signaling coherence daemon
# No host/VM is named here: the daemon serves whatever appears under its watch dir.
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
# root: reads QEMU-owned /dev/shm RAM backings, dials per-VM QMP, reads /etc/pve (OS-DAC).
# The security boundary is the per-uid grant, not the process uid; per-VM isolation, if
# required, is the deployment's job (process-per-VM), not this daemon's.
User=root
ExecStart=/usr/sbin/vmsigd
Restart=on-failure
RestartSec=2

# systemd creates and owns /run/vmsig (the control socket dir) and cleans it on stop.
RuntimeDirectory=vmsig
RuntimeDirectoryMode=0755

StandardOutput=journal
StandardError=journal

# ---- hardening: contain a root daemon by namespace/capability, not by uid ----
NoNewPrivileges=true
ProtectSystem=strict
ReadWritePaths=/dev/shm/vmsig /run/vmsig
ReadOnlyPaths=/etc/pve /var/run/qemu-server
ProtectHome=true
PrivateTmp=true
RestrictAddressFamilies=AF_UNIX
CapabilityBoundingSet=
AmbientCapabilities=
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
RestrictRealtime=true
LockPersonality=true

[Install]
WantedBy=multi-user.target