[Unit]
Description=shithub background worker pool
After=network-online.target postgresql.service shithubd-web.service
Wants=network-online.target
Requires=postgresql.service

[Service]
Type=simple
User=shithub
Group=shithub
EnvironmentFile=/etc/shithub/worker.env
ExecStart=/usr/local/bin/shithubd worker
Restart=on-failure
RestartSec=2
LimitNOFILE=65535

NoNewPrivileges=yes
ProtectSystem=strict
ProtectHome=yes
PrivateTmp=yes
ReadWritePaths=/data /var/lib/shithub
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes
ProtectControlGroups=yes
RestrictNamespaces=yes
RestrictRealtime=yes
# RestrictSUIDSGID intentionally OFF: org GitHub imports create repos
# from the worker, and `git init --bare --shared=group` calls chmod g+s
# on the directories it creates so cross-user writes inherit the shared
# group. With RestrictSUIDSGID=yes the kernel returns EPERM and git emits
# "Could not make .../branches/ writable by group", leaving imports
# failed before any fetch occurs.
RestrictSUIDSGID=no
LockPersonality=yes

[Install]
WantedBy=multi-user.target