[Unit]
Description=Telegram CLI Bot
After=network.target

[Service]
Type=simple
User=%USER%
WorkingDirectory=%WORKDIR%
Environment="PATH=%VENV_PATH%:/home/%USER%/.config/nvm/versions/node/v24.13.1/bin:/usr/local/bin:/usr/bin:/bin"
Environment="QWEN_CODE_PATH=%VENV_PATH%/qwen"
Environment="NVM_DIR=/home/%USER%/.nvm"
ExecStart=%VENV_PATH%/python bot.py
Restart=always
RestartSec=10
StandardOutput=journal
StandardError=journal
SyslogIdentifier=telegram-bot

# Security hardening с исключениями для работы бота
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=read-only
PrivateTmp=true
ReadWritePaths=%WORKDIR% %HOME%/.npm-global %HOME%/.nvm %HOME%/.config/nvm %HOME%/.cache

[Install]
WantedBy=multi-user.target