soft-serve.service

 1[Unit]
 2Description=Soft Serve git server 🍦
 3Documentation=https://github.com/charmbracelet/soft-serve
 4Requires=network-online.target
 5After=network-online.target
 6
 7[Service]
 8Type=simple
 9User=soft-serve
10Group=soft-serve
11Restart=always
12RestartSec=1
13ExecStart=/usr/bin/soft serve
14Environment=SOFT_SERVE_DATA_PATH=/var/lib/soft-serve
15EnvironmentFile=-/etc/soft-serve.conf
16WorkingDirectory=/var/lib/soft-serve
17
18# Hardening
19ReadWritePaths=/var/lib/soft-serve
20UMask=0027
21NoNewPrivileges=true
22LimitNOFILE=1048576
23ProtectSystem=strict
24ProtectHome=true
25PrivateUsers=yes
26PrivateTmp=true
27PrivateDevices=true
28ProtectHostname=true
29ProtectClock=true
30ProtectKernelTunables=true
31ProtectKernelModules=true
32ProtectKernelLogs=true
33ProtectControlGroups=true
34RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
35RestrictNamespaces=true
36LockPersonality=true
37MemoryDenyWriteExecute=true
38RestrictRealtime=true
39RestrictSUIDSGID=true
40RemoveIPC=true
41CapabilityBoundingSet=
42AmbientCapabilities=
43SystemCallFilter=@system-service
44SystemCallFilter=~@privileged @resources
45SystemCallArchitectures=native
46
47[Install]
48WantedBy=multi-user.target