[Unit]
Description=Soft Serve git server 🍦
Documentation=https://github.com/charmbracelet/soft-serve
Requires=network-online.target
After=network-online.target

[Service]
Type=simple
User=soft-serve
Group=soft-serve
Restart=always
RestartSec=1
ExecStart=/usr/bin/soft serve
EnvironmentFile=-/etc/soft-serve.conf
WorkingDirectory=/var/lib/soft-serve

# Hardening
ReadWritePaths=/var/lib/soft-serve
UMask=0027
NoNewPrivileges=true
LimitNOFILE=1048576
ProtectSystem=strict
ProtectHome=true
PrivateUsers=yes
PrivateTmp=true
PrivateDevices=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=true
LockPersonality=true
MemoryDenyWriteExecute=true
RestrictRealtime=true
RestrictSUIDSGID=true
RemoveIPC=true
CapabilityBoundingSet=
AmbientCapabilities=
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources
SystemCallArchitectures=native

[Install]
WantedBy=multi-user.target