[Unit]
Description=Docker Magic Firewall
After=docker.service network-online.target firewalld.service
Requires=docker.service
Wants=network-online.target
StartLimitIntervalSec=60
StartLimitBurst=10

[Service]
Type=exec
Restart=on-failure
RestartSec=5s
ExecStart=/usr/bin/python3 /opt/docker_magicfw.py

# Environment variables (customize as needed)
Environment=LOG_LEVEL=INFO
Environment=ENABLE_IPV4=true
Environment=ENABLE_IPV6=true
Environment=DISABLE_NAT=true

# Security hardening
User=root
Group=root
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW
PrivateTmp=yes
ProtectSystem=strict
ProtectHome=read-only
NoNewPrivileges=yes

[Install]
WantedBy=multi-user.target