| 1 | [Unit] |
| 2 | Description=shithub web server |
| 3 | After=network-online.target postgresql.service |
| 4 | Wants=network-online.target |
| 5 | Requires=postgresql.service |
| 6 | |
| 7 | [Service] |
| 8 | Type=simple |
| 9 | User=shithub |
| 10 | Group=shithub |
| 11 | EnvironmentFile=/etc/shithub/web.env |
| 12 | # Run pending migrations BEFORE starting. ExecStartPre failure |
| 13 | # prevents the unit from starting (correct behavior for a bad |
| 14 | # migration). Recovery is documented in runbooks/upgrade.md. |
| 15 | ExecStartPre=/usr/local/bin/shithubd migrate up |
| 16 | ExecStart=/usr/local/bin/shithubd web |
| 17 | Restart=on-failure |
| 18 | RestartSec=2 |
| 19 | LimitNOFILE=65535 |
| 20 | |
| 21 | # Hardening — match systemd-analyze security defaults where they |
| 22 | # don't conflict with the app's needs (writes to data root, opens |
| 23 | # port 8080). |
| 24 | NoNewPrivileges=yes |
| 25 | ProtectSystem=strict |
| 26 | ProtectHome=yes |
| 27 | PrivateTmp=yes |
| 28 | ReadWritePaths=/data /var/lib/shithub |
| 29 | ProtectKernelTunables=yes |
| 30 | ProtectKernelModules=yes |
| 31 | ProtectKernelLogs=yes |
| 32 | ProtectControlGroups=yes |
| 33 | RestrictNamespaces=yes |
| 34 | RestrictRealtime=yes |
| 35 | RestrictSUIDSGID=yes |
| 36 | LockPersonality=yes |
| 37 | MemoryDenyWriteExecute=yes |
| 38 | SystemCallArchitectures=native |
| 39 | |
| 40 | [Install] |
| 41 | WantedBy=multi-user.target |