feat: systemd user service file for headless deployment

Hardened unit with ProtectSystem/ProtectHome, auto-restart on failure,
and ExecReload for SIGHUP hot config reload. Docs updated with setup,
management, and enable-linger instructions.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

docs/CHEATSHEET.md

@@ -9,6 +9,18 @@ bouncer --version                      # version
 bouncer --help                         # help
 ```
 
+## Systemd
+
+```bash
+systemctl --user enable bouncer       # enable at boot
+systemctl --user start bouncer        # start
+systemctl --user stop bouncer         # stop
+systemctl --user restart bouncer      # restart
+systemctl --user reload bouncer       # hot reload (SIGHUP)
+systemctl --user status bouncer       # status
+journalctl --user -u bouncer -f       # follow logs
+```
+
 ## Podman
 
 ```bash
@@ -219,6 +231,7 @@ password                          # optional, IRC server PASS
 |------|---------|
 | `config/bouncer.toml` | Active config (gitignored) |
 | `config/bouncer.example.toml` | Example template |
+| `config/bouncer.service` | Systemd user service unit |
 | `config/bouncer.db` | SQLite backlog (auto-created) |
 | `{data_dir}/bouncer.pem` | Listener TLS cert (auto-created) |
 | `{data_dir}/certs/{net}/{nick}.pem` | Client certificates (auto-created) |

docs/INSTALL.md

@@ -68,6 +68,45 @@ Verify:
 which bouncer
 ```
 
+## Systemd (User Service)
+
+Install and enable the bouncer as a user service (no root required):
+
+```bash
+mkdir -p ~/.config/systemd/user
+cp config/bouncer.service ~/.config/systemd/user/bouncer.service
+```
+
+Edit `ExecStart=` paths if your install differs from the defaults:
+
+```bash
+$EDITOR ~/.config/systemd/user/bouncer.service
+```
+
+Enable and start:
+
+```bash
+systemctl --user daemon-reload
+systemctl --user enable bouncer
+systemctl --user start bouncer
+```
+
+Enable lingering so the service runs without an active login session:
+
+```bash
+sudo loginctl enable-linger $USER
+```
+
+### Management
+
+```bash
+systemctl --user status bouncer       # check status
+systemctl --user restart bouncer      # restart
+systemctl --user stop bouncer         # stop
+journalctl --user -u bouncer -f       # follow logs
+systemctl --user reload bouncer       # hot reload config (SIGHUP)
+```
+
 ## Dependencies
 
 Installed automatically by `make dev`:

docs/USAGE.md

@@ -684,6 +684,20 @@ Results are sent back as NOTICE messages.
 | farm_enabled, farm_interval, etc. | Farm started/stopped |
 | bind, port, password, client_tls | Warning logged (restart required) |
 
+## Systemd
+
+The bouncer ships with a systemd user service file. See [INSTALL.md](INSTALL.md)
+for setup. Key operations:
+
+```bash
+systemctl --user start bouncer        # start
+systemctl --user stop bouncer         # stop
+systemctl --user reload bouncer       # hot reload (SIGHUP)
+journalctl --user -u bouncer -f       # follow logs
+```
+
+The service restarts automatically on failure (`RestartSec=10`).
+
 ## Stopping
 
 Press `Ctrl+C` or send `SIGTERM`. The bouncer shuts down gracefully, closing