[Unit] Description=Soft Serve git server 🍦 Documentation=https://github.com/charmbracelet/soft-serve Requires=network-online.target After=network-online.target [Service] Type=simple User=soft-serve Group=soft-serve Restart=always RestartSec=1 ExecStart=/usr/bin/soft serve EnvironmentFile=-/etc/soft-serve.conf WorkingDirectory=/var/lib/soft-serve # Hardening ReadWritePaths=/var/lib/soft-serve UMask=0027 NoNewPrivileges=true LimitNOFILE=1048576 ProtectSystem=strict ProtectHome=true PrivateUsers=yes PrivateTmp=true PrivateDevices=true ProtectHostname=true ProtectClock=true ProtectKernelTunables=true ProtectKernelModules=true ProtectKernelLogs=true ProtectControlGroups=true RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 RestrictNamespaces=true LockPersonality=true MemoryDenyWriteExecute=true RestrictRealtime=true RestrictSUIDSGID=true RemoveIPC=true CapabilityBoundingSet= AmbientCapabilities= SystemCallFilter=@system-service SystemCallFilter=~@privileged @resources SystemCallArchitectures=native [Install] WantedBy=multi-user.target