CIS490/etc/cis490-orchestrator.service

[Unit]
Description=CIS490 episode campaign runner
Documentation=https://maxgit.wg/spectral/CIS490
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
User=cis490
Group=cis490
SupplementaryGroups=kvm
WorkingDirectory=/opt/cis490
ExecStart=/opt/cis490/.venv/bin/python tools/run_campaign.py \
    --data-root /var/lib/cis490/data \
    --target 100
Restart=on-failure
RestartSec=10

# Hardening
NoNewPrivileges=true
PrivateTmp=false
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=/var/lib/cis490 /tmp/cis490-vm /dev/kvm
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
LockPersonality=true
RestrictRealtime=true
SystemCallArchitectures=native

[Install]
WantedBy=multi-user.target