[Unit]
Description=XDP Defense - Unified CIDR Blocker + DDoS Defense
After=network-online.target
Wants=network-online.target
Documentation=man:xdp-defense(8)

[Service]
Type=simple
ExecStartPre=/usr/local/bin/xdp-defense load
ExecStart=/usr/local/bin/xdp-defense daemon start-foreground
ExecStop=/usr/local/bin/xdp-defense stop-all
ExecReload=/bin/kill -HUP $MAINPID
Restart=on-failure
RestartSec=5

# Security hardening
ProtectSystem=strict
ReadWritePaths=/var/lib/xdp-defense /etc/xdp-defense /sys/fs/bpf /tmp
ProtectHome=true
NoNewPrivileges=false
CapabilityBoundingSet=CAP_NET_ADMIN CAP_BPF CAP_SYS_ADMIN CAP_PERFMON
AmbientCapabilities=CAP_NET_ADMIN CAP_BPF CAP_SYS_ADMIN CAP_PERFMON

[Install]
WantedBy=multi-user.target