soft.service

 1[Unit]
 2Description=Soft Serve git server 🍦
 3Documentation=https://github.com/charmbracelet/soft-serve
 4Requires=network-online.target
 5After=network-online.target
 6
 7[Install]
 8WantedBy=multi-user.target
 9
10# Hardening
11ReadWritePaths=/var/lib/soft-serve
12UMask=0027
13NoNewPrivileges=true
14LimitNOFILE=1048576
15ProtectSystem=strict
16ProtectHome=true
17PrivateUsers=yes
18PrivateTmp=true
19PrivateDevices=true
20ProtectHostname=true
21ProtectClock=true
22ProtectKernelTunables=true
23ProtectKernelModules=true
24ProtectKernelLogs=true
25ProtectControlGroups=true
26RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
27RestrictNamespaces=true
28LockPersonality=true
29MemoryDenyWriteExecute=true
30RestrictRealtime=true
31RestrictSUIDSGID=true
32RemoveIPC=true
33CapabilityBoundingSet=
34AmbientCapabilities=
35SystemCallFilter=@system-service
36SystemCallFilter=~@privileged @resources
37SystemCallArchitectures=native
38
39[Service]
40Type=simple
41Restart=always
42RestartSec=1
43ExecStartPre=mkdir -p /var/local/lib/soft-serve
44ExecStart=/usr/bin/soft serve
45EnvironmentFile=-/etc/soft.conf