[Unit]
Description=mGPUmanager — GPU-Inference-Control-Plane for mRock
Documentation=https://mgit.msbls.de/m/mGPUmanager
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
User=m
Group=m
WorkingDirectory=/home/m/dev/mGPUmanager
ExecStart=/home/m/dev/mGPUmanager/bin/mgpumanager \
    --config /home/m/dev/mGPUmanager/config/consumers.yaml \
    --log-level info
Restart=on-failure
RestartSec=3
TimeoutStopSec=10

# Hardening — broker has no need for elevated capabilities.
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=read-only
ReadWritePaths=/home/m/dev/mGPUmanager

# The broker only proxies; nvidia-smi is the only GPU-touching call.
PrivateDevices=false

[Install]
WantedBy=multi-user.target