[Unit]
Description=Forgejo (Beyong coding. We forge.)
After=syslog.target
After=network.target
After=mysqld.service
After=postgresql.service
After=memcached.service
After=redis.service

[Service]
User=forgejo
Group=forgejo
Type=simple
WorkingDirectory=~
RuntimeDirectory=forgejo
LogsDirectory=forgejo
StateDirectory=forgejo
Environment=USER=forgejo HOME=/var/lib/forgejo GITEA_WORK_DIR=/var/lib/forgejo
ExecStart=/usr/bin/forgejo web -c /etc/forgejo/app.ini
Restart=always
RestartSec=2s
CapabilityBoundingSet=
NoNewPrivileges=True
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=/etc/forgejo/app.ini
PrivateTmp=true
PrivateDevices=true
PrivateUsers=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
LockPersonality=true
MemoryDenyWriteExecute=true
RestrictRealtime=true
RestrictSUIDSGID=true
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallErrorNumber=EPERM

[Install]
WantedBy=multi-user.target