[Unit]
Description=shithub Actions runner
After=network-online.target docker.service dnsmasq.service shithub-runner-firewall.service
Wants=network-online.target docker.service
Requires=dnsmasq.service shithub-runner-firewall.service

[Service]
Type=simple
User=shithub-runner
Group=shithub-runner
SupplementaryGroups=docker
EnvironmentFile=/etc/shithubd-runner/runner.env
ExecStart=/usr/local/bin/shithubd-runner run --config /etc/shithubd-runner/config.toml
Restart=on-failure
RestartSec=2
LimitNOFILE=65535

# Docker socket access still makes the host trusted infrastructure.
# Container-level hardening lives in internal/runner/engine/docker.go
# and the pinned seccomp profile installed under /etc/shithubd-runner.
NoNewPrivileges=yes
ProtectSystem=strict
ProtectHome=yes
PrivateTmp=yes
ReadWritePaths=/var/lib/shithubd-runner
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes
ProtectControlGroups=yes
RestrictNamespaces=yes
RestrictRealtime=yes
# Match shithubd-web's posture. Docker and git may need setgid semantics
# inside their own managed trees; S41e revisits runner hardening in depth.
RestrictSUIDSGID=no
LockPersonality=yes
SystemCallArchitectures=native

[Install]
WantedBy=multi-user.target