1[Unit]
 2Description=Soft Serve git server 🍦
 3Documentation=https://github.com/charmbracelet/soft-serve
 4Requires=network-online.target
 5After=network-online.target
 6
 7[Service]
 8Type=simple
 9User=soft-serve
10Group=soft-serve
11Restart=always
12RestartSec=1
13ExecStart=/usr/bin/soft serve
14EnvironmentFile=-/etc/soft-serve.conf
15WorkingDirectory=/var/lib/soft-serve
16
17# Hardening
18ReadWritePaths=/var/lib/soft-serve
19UMask=0027
20NoNewPrivileges=true
21LimitNOFILE=1048576
22ProtectSystem=strict
23ProtectHome=true
24PrivateUsers=yes
25PrivateTmp=true
26PrivateDevices=true
27ProtectHostname=true
28ProtectClock=true
29ProtectKernelTunables=true
30ProtectKernelModules=true
31ProtectKernelLogs=true
32ProtectControlGroups=true
33RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
34RestrictNamespaces=true
35LockPersonality=true
36MemoryDenyWriteExecute=true
37RestrictRealtime=true
38RestrictSUIDSGID=true
39RemoveIPC=true
40CapabilityBoundingSet=
41AmbientCapabilities=
42SystemCallFilter=@system-service
43SystemCallFilter=~@privileged @resources
44SystemCallArchitectures=native
45
46[Install]
47WantedBy=multi-user.target