52 lines
1.3 KiB
SYSTEMD
52 lines
1.3 KiB
SYSTEMD
|
[Unit]
|
||
|
|
Description=Gitea (Git with a cup of tea)
|
||
|
|
After=syslog.target
|
||
|
|
After=network.target
|
||
|
|
After=mysqld.service
|
||
|
|
After=postgresql.service
|
||
|
|
After=memcached.service
|
||
|
|
After=redis.service
|
||
|
|
|
||
|
|
[Service]
|
||
|
|
User=gitea
|
||
|
|
Group=gitea
|
||
|
|
Type=simple
|
||
|
|
WorkingDirectory=~
|
||
|
|
RuntimeDirectory=gitea
|
||
|
|
LogsDirectory=gitea
|
||
|
|
StateDirectory=gitea
|
||
|
|
Environment=USER=gitea HOME=/var/lib/gitea GITEA_WORK_DIR=/var/lib/gitea GITEA_CUSTOM=/var/lib/gitea/custom/
|
||
|
|
ExecStart=/usr/bin/gitea web -c /var/lib/gitea/custom/conf/app.ini --custom-path=/var/lib/gitea/custom/
|
||
|
|
Restart=always
|
||
|
|
RestartSec=2s
|
||
|
|
ReadWritePaths=/var/lib/gitea/custom/conf/app.ini
|
||
|
|
AmbientCapabilities=
|
||
|
|
CapabilityBoundingSet=
|
||
|
|
LockPersonality=true
|
||
|
|
#Required by commit search
|
||
|
|
#MemoryDenyWriteExecute=true
|
||
|
|
NoNewPrivileges=True
|
||
|
|
#SecureBits=noroot-locked
|
||
|
|
PrivateDevices=true
|
||
|
|
PrivateTmp=true
|
||
|
|
PrivateUsers=true
|
||
|
|
ProtectClock=true
|
||
|
|
ProtectControlGroups=true
|
||
|
|
ProtectHome=true
|
||
|
|
ProtectHostname=true
|
||
|
|
ProtectKernelLogs=true
|
||
|
|
ProtectKernelModules=true
|
||
|
|
ProtectKernelTunables=true
|
||
|
|
ProtectProc=invisible
|
||
|
|
ProtectSystem=strict
|
||
|
|
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
|
||
|
|
RestrictNamespaces=true
|
||
|
|
RestrictRealtime=true
|
||
|
|
RestrictSUIDSGID=true
|
||
|
|
SystemCallArchitectures=native
|
||
|
|
SystemCallFilter=@system-service
|
||
|
|
SystemCallErrorNumber=EPERM
|
||
|
|
|
||
|
|
[Install]
|
||
|
|
WantedBy=multi-user.target
|