forgejo/trunk/systemd.service

   1 [Unit]
   2 Description=Forgejo
   3 After=syslog.target
   4 After=network.target
   5 After=mysqld.service
   6 After=postgresql.service
   7 After=memcached.service
   8 After=redis.service
   9
  10 [Service]
  11 User=forgejo
  12 Group=forgejo
  13 Type=simple
  14 WorkingDirectory=~
  15 RuntimeDirectory=forgejo
  16 LogsDirectory=forgejo
  17 StateDirectory=forgejo
  18 Environment=USER=forgejo HOME=/var/lib/forgejo GITEA_WORK_DIR=/var/lib/forgejo
  19 ExecStart=/usr/bin/forgejo web -c /etc/forgejo/app.ini
  20 Restart=always
  21 RestartSec=2s
  22 ReadWritePaths=/etc/forgejo/app.ini
  23 AmbientCapabilities=
  24 CapabilityBoundingSet=
  25 LockPersonality=true
  26 #Required by commit search
  27 #MemoryDenyWriteExecute=true
  28 NoNewPrivileges=True
  29 #SecureBits=noroot-locked
  30 PrivateDevices=true
  31 PrivateTmp=true
  32 PrivateUsers=true
  33 ProtectClock=true
  34 ProtectControlGroups=true
  35 ProtectHome=true
  36 ProtectHostname=true
  37 ProtectKernelLogs=true
  38 ProtectKernelModules=true
  39 ProtectKernelTunables=true
  40 ProtectProc=invisible
  41 ProtectSystem=strict
  42 RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
  43 RestrictNamespaces=true
  44 RestrictRealtime=true
  45 RestrictSUIDSGID=true
  46 SystemCallArchitectures=native
  47 SystemCallFilter=@system-service
  48 SystemCallErrorNumber=EPERM
  49
  50 [Install]
  51 WantedBy=multi-user.target