[Unit]
Description=Run mcp-browser in MCP server mode
Documentation=https://github.com/Xilope0/mcp-browser
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
Environment="PYTHONUNBUFFERED=1"
Environment="MCP_BROWSER_BIN=%h/.local/bin/mcp-browser"
Environment="MCP_BROWSER_CONFIG=%h/.config/mcp-browser/config.yaml"
Environment="MCP_BROWSER_SERVER=default"
Environment="MCP_BROWSER_MODE=server"
Environment="MCP_BROWSER_NO_BUILTIN=false"
Environment="MCP_BROWSER_TRANSPORT="
Environment="MCP_BROWSER_TRANSPORT_URL="
Environment="MCP_BROWSER_EXTRA_ARGS="
EnvironmentFile=-%h/.config/mcp-browser/browser.env

ExecStart=/usr/bin/env bash -lc 'set -eu
ARGS=()
if [[ "$MCP_BROWSER_NO_BUILTIN" == "true" ]]; then
  ARGS+=(--no-builtin)
fi
if [[ -n "$MCP_BROWSER_TRANSPORT" ]]; then
  ARGS+=(--transport "$MCP_BROWSER_TRANSPORT")
fi
if [[ -n "$MCP_BROWSER_TRANSPORT_URL" ]]; then
  ARGS+=(--transport-url "$MCP_BROWSER_TRANSPORT_URL")
fi
exec "$MCP_BROWSER_BIN" \
  --mode "$MCP_BROWSER_MODE" \
  --config "$MCP_BROWSER_CONFIG" \
  --server "$MCP_BROWSER_SERVER" \
  "${ARGS[@]}" \
  $MCP_BROWSER_EXTRA_ARGS'

Restart=on-failure
RestartSec=5
NoNewPrivileges=yes
ProtectSystem=strict
ProtectHome=read-only
PrivateTmp=yes
ProtectControlGroups=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
RestrictSUIDSGID=yes
RestrictRealtime=yes
RestrictNamespaces=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6

[Install]
WantedBy=default.target