[Unit]
Description=aitrader bot (Gemini+Claude → Kraken Demo)
After=network-online.target tailscaled.service
Wants=network-online.target

[Service]
Type=simple
User=aitrader
Group=aitrader
WorkingDirectory=/opt/aitrader
EnvironmentFile=/opt/aitrader/.env
ExecStart=/opt/aitrader/.venv/bin/python -m aitrader.main
Restart=on-failure
RestartSec=10
StandardOutput=journal
StandardError=journal

# Hardening
NoNewPrivileges=true
ProtectSystem=strict
# ProtectHome=false weil uv den Python-Interpreter in /home/aitrader/.local/share/uv ablegt
ProtectHome=false
ReadWritePaths=/opt/aitrader/data
PrivateTmp=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
RestrictSUIDSGID=true
LockPersonality=true

[Install]
WantedBy=multi-user.target