[Unit]
Description=Bleh MXW01 helper daemon (root)
After=network.target

[Service]
Type=simple
ExecStart=/usr/local/bin/blehd --socket /run/bleh/blehd.sock --group bleh
Restart=on-failure
RestartSec=1

RuntimeDirectory=bleh
RuntimeDirectoryMode=0755

# Hardening (still useful even as root)
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
RestrictSUIDSGID=true
LockPersonality=true
MemoryDenyWriteExecute=true

[Install]
WantedBy=multi-user.target