[Unit]
Description=MAESTRO
After=network.target

[Service]
Type=simple
User=maestro
WorkingDirectory=/opt/maestro
ExecStart=/usr/bin/node dist/index.js
Restart=on-failure
RestartSec=10
EnvironmentFile=/opt/maestro/.env

# Logging
StandardOutput=journal
StandardError=journal
SyslogIdentifier=maestro

# Security hardening
NoNewPrivileges=true
ProtectSystem=strict
ReadWritePaths=/opt/maestro/data /var/lib/maestro/workspaces

[Install]
WantedBy=multi-user.target