[Unit]
Description=Montana Local Node (M8 cross-machine, Proof-of-Time)
Documentation=https://github.com/efir369999/Montana
After=network.target
Wants=network-online.target

[Service]
Type=simple
User=montana
Group=montana
ExecStart=/usr/local/bin/montana-node start --data-dir /var/lib/montana --listen /ip4/0.0.0.0/tcp/8444 --genesis-manifest /etc/montana/genesis-manifest.json
Restart=on-failure
RestartSec=10
StandardOutput=journal
StandardError=journal

# Hardening (per systemd security best-practice)
NoNewPrivileges=yes
PrivateTmp=yes
ProtectSystem=strict
ProtectHome=yes
ReadWritePaths=/var/lib/montana
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectControlGroups=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
LockPersonality=yes
MemoryDenyWriteExecute=no
SystemCallArchitectures=native

# Resource limits — узел single-thread + libp2p network thread (1 узел = ~110% CPU max)
CPUQuota=200%
LimitNOFILE=8192

[Install]
WantedBy=multi-user.target