shithub Public

Watch 1 Fork 0 Star 0

SYSTEMD · 1076 bytes Raw Blame History

  
        1
        [Unit]
      
        2
        Description=shithub background worker pool
      
        3
        After=network-online.target postgresql.service shithubd-web.service
      
        4
        Wants=network-online.target
      
        5
        Requires=postgresql.service
      
        6
        
        7
        [Service]
      
        8
        Type=simple
      
        9
        User=shithub
      
        10
        Group=shithub
      
        11
        EnvironmentFile=/etc/shithub/worker.env
      
        12
        ExecStart=/usr/local/bin/shithubd worker
      
        13
        Restart=on-failure
      
        14
        RestartSec=2
      
        15
        LimitNOFILE=65535
      
        16
        
        17
        NoNewPrivileges=yes
      
        18
        ProtectSystem=strict
      
        19
        ProtectHome=yes
      
        20
        PrivateTmp=yes
      
        21
        ReadWritePaths=/data /var/lib/shithub
      
        22
        ProtectKernelTunables=yes
      
        23
        ProtectKernelModules=yes
      
        24
        ProtectKernelLogs=yes
      
        25
        ProtectControlGroups=yes
      
        26
        RestrictNamespaces=yes
      
        27
        RestrictRealtime=yes
      
        28
        # RestrictSUIDSGID intentionally OFF: org GitHub imports create repos
      
        29
        # from the worker, and `git init --bare --shared=group` calls chmod g+s
      
        30
        # on the directories it creates so cross-user writes inherit the shared
      
        31
        # group. With RestrictSUIDSGID=yes the kernel returns EPERM and git emits
      
        32
        # "Could not make .../branches/ writable by group", leaving imports
      
        33
        # failed before any fetch occurs.
      
        34
        RestrictSUIDSGID=no
      
        35
        LockPersonality=yes
      
        36
        
        37
        [Install]
      
        38
        WantedBy=multi-user.target

1	[Unit]
2	Description=shithub background worker pool
3	After=network-online.target postgresql.service shithubd-web.service
4	Wants=network-online.target
5	Requires=postgresql.service
6
7	[Service]
8	Type=simple
9	User=shithub
10	Group=shithub
11	EnvironmentFile=/etc/shithub/worker.env
12	ExecStart=/usr/local/bin/shithubd worker
13	Restart=on-failure
14	RestartSec=2
15	LimitNOFILE=65535
16
17	NoNewPrivileges=yes
18	ProtectSystem=strict
19	ProtectHome=yes
20	PrivateTmp=yes
21	ReadWritePaths=/data /var/lib/shithub
22	ProtectKernelTunables=yes
23	ProtectKernelModules=yes
24	ProtectKernelLogs=yes
25	ProtectControlGroups=yes
26	RestrictNamespaces=yes
27	RestrictRealtime=yes
28	# RestrictSUIDSGID intentionally OFF: org GitHub imports create repos
29	# from the worker, and `git init --bare --shared=group` calls chmod g+s
30	# on the directories it creates so cross-user writes inherit the shared
31	# group. With RestrictSUIDSGID=yes the kernel returns EPERM and git emits
32	# "Could not make .../branches/ writable by group", leaving imports
33	# failed before any fetch occurs.
34	RestrictSUIDSGID=no
35	LockPersonality=yes
36
37	[Install]
38	WantedBy=multi-user.target