shithub Public

Watch 1 Fork 0 Star 0

SYSTEMD · 1230 bytes Raw Blame History

  
        1
        [Unit]
      
        2
        Description=shithub Actions runner
      
        3
        After=network-online.target docker.service dnsmasq.service shithub-runner-firewall.service
      
        4
        Wants=network-online.target docker.service
      
        5
        Requires=dnsmasq.service shithub-runner-firewall.service
      
        6
        
        7
        [Service]
      
        8
        Type=simple
      
        9
        User=shithub-runner
      
        10
        Group=shithub-runner
      
        11
        SupplementaryGroups=docker
      
        12
        EnvironmentFile=/etc/shithubd-runner/runner.env
      
        13
        ExecStart=/usr/local/bin/shithubd-runner run --config /etc/shithubd-runner/config.toml
      
        14
        Restart=on-failure
      
        15
        RestartSec=2
      
        16
        LimitNOFILE=65535
      
        17
        
        18
        # Docker socket access still makes the host trusted infrastructure.
      
        19
        # Container-level hardening lives in internal/runner/engine/docker.go
      
        20
        # and the pinned seccomp profile installed under /etc/shithubd-runner.
      
        21
        NoNewPrivileges=yes
      
        22
        ProtectSystem=strict
      
        23
        ProtectHome=yes
      
        24
        PrivateTmp=yes
      
        25
        ReadWritePaths=/var/lib/shithubd-runner
      
        26
        ProtectKernelTunables=yes
      
        27
        ProtectKernelModules=yes
      
        28
        ProtectKernelLogs=yes
      
        29
        ProtectControlGroups=yes
      
        30
        RestrictNamespaces=yes
      
        31
        RestrictRealtime=yes
      
        32
        # Match shithubd-web's posture. Docker and git may need setgid semantics
      
        33
        # inside their own managed trees; S41e revisits runner hardening in depth.
      
        34
        RestrictSUIDSGID=no
      
        35
        LockPersonality=yes
      
        36
        SystemCallArchitectures=native
      
        37
        
        38
        [Install]
      
        39
        WantedBy=multi-user.target

1	[Unit]
2	Description=shithub Actions runner
3	After=network-online.target docker.service dnsmasq.service shithub-runner-firewall.service
4	Wants=network-online.target docker.service
5	Requires=dnsmasq.service shithub-runner-firewall.service
6
7	[Service]
8	Type=simple
9	User=shithub-runner
10	Group=shithub-runner
11	SupplementaryGroups=docker
12	EnvironmentFile=/etc/shithubd-runner/runner.env
13	ExecStart=/usr/local/bin/shithubd-runner run --config /etc/shithubd-runner/config.toml
14	Restart=on-failure
15	RestartSec=2
16	LimitNOFILE=65535
17
18	# Docker socket access still makes the host trusted infrastructure.
19	# Container-level hardening lives in internal/runner/engine/docker.go
20	# and the pinned seccomp profile installed under /etc/shithubd-runner.
21	NoNewPrivileges=yes
22	ProtectSystem=strict
23	ProtectHome=yes
24	PrivateTmp=yes
25	ReadWritePaths=/var/lib/shithubd-runner
26	ProtectKernelTunables=yes
27	ProtectKernelModules=yes
28	ProtectKernelLogs=yes
29	ProtectControlGroups=yes
30	RestrictNamespaces=yes
31	RestrictRealtime=yes
32	# Match shithubd-web's posture. Docker and git may need setgid semantics
33	# inside their own managed trees; S41e revisits runner hardening in depth.
34	RestrictSUIDSGID=no
35	LockPersonality=yes
36	SystemCallArchitectures=native
37
38	[Install]
39	WantedBy=multi-user.target