# Volt VM SystemD Unit Template
# Usage: systemctl start volt-vm@myvm.service

[Unit]
Description=Volt VM %i
Documentation=https://voltvisor.io
After=network.target volt-runtime.service
Requires=volt-runtime.service
Wants=volt-network.service

[Service]
Type=notify
NotifyAccess=all

# VM Runtime
ExecStartPre=/usr/bin/volt-runtime prepare %i
ExecStart=/usr/bin/volt-runtime run %i
ExecStop=/usr/bin/volt-runtime stop %i
ExecStopPost=/usr/bin/volt-runtime cleanup %i

# Restart policy
Restart=on-failure
RestartSec=5s
TimeoutStartSec=30s
TimeoutStopSec=30s

# Resource limits via cgroups v2
# These are defaults, overridden per-VM in drop-in files
MemoryMax=512M
MemoryHigh=400M
CPUQuota=100%
TasksMax=4096
IOWeight=100

# Security hardening
NoNewPrivileges=yes
ProtectSystem=strict
ProtectHome=yes
PrivateTmp=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes
ProtectControlGroups=yes
ProtectHostname=yes
ProtectClock=yes
RestrictNamespaces=no
RestrictRealtime=yes
RestrictSUIDSGID=yes
LockPersonality=yes
MemoryDenyWriteExecute=no
RemoveIPC=yes

# Capabilities
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_ADMIN CAP_SETUID CAP_SETGID CAP_MKNOD
AmbientCapabilities=

# Namespaces (used for VM isolation)
PrivateUsers=yes
PrivateNetwork=no
PrivateMounts=yes

# Filesystem restrictions
ReadWritePaths=/var/lib/volt/vms/%i
ReadOnlyPaths=/var/lib/volt/kernels /var/lib/volt/images
InaccessiblePaths=/home /root

# Logging
StandardOutput=journal
StandardError=journal
SyslogIdentifier=volt-vm-%i

[Install]
WantedBy=multi-user.target