File gitea.service of Package gitea

[Unit]
Description=Gitea (Git with a cup of tea)
After=syslog.target network.target mysqld.service postgresql.service memcached.service redis.service

[Service]
# Modify these two values and uncomment them if you have
# repos with lots of files and get an HTTP error 500 because
# of that
###
#LimitMEMLOCK=infinity
#LimitNOFILE=65535
RestartSec=2s
Type=simple
User=gitea
Group=gitea
WorkingDirectory=/var/lib/gitea
Environment=USER=gitea
Environment=HOME=/usr/share/gitea
Environment=GITEA_WORK_DIR=/var/lib/gitea
Environment=GITEA_CUSTOM=/etc/gitea
Environment=GIT_LFS_SKIP_SMUDGE=1
#ExecStartPre=touch /var/log/gitea/access.log
ExecStart=/usr/bin/gitea web --config /etc/gitea/conf/app.ini

# where Gitea writes files
ReadWritePaths=/etc/gitea/conf
ReadWritePaths=/usr/share/gitea
ReadWritePaths=/var/lib/gitea/data
ReadWritePaths=/var/lib/gitea/https
ReadWritePaths=/var/lib/gitea/indexers
ReadWritePaths=/var/lib/gitea/queues
ReadWritePaths=/var/lib/gitea/repositories
ReadWritePaths=/var/log/gitea

# If you want to bind Gitea to a port below 1024 then
# add CAP_NET_BIND_SERVICE to the following two lines
# see also: capabilities(7)
###
CapabilityBoundingSet=
AmbientCapabilities=

# Various other hardening options
PrivateTmp=yes
PrivateDevices=yes
DevicePolicy=closed
ProtectSystem=strict
ProtectHome=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectKernelLogs=yes
ProtectControlGroups=yes
ProtectHostname=yes
ProtectClock=yes
NoNewPrivileges=yes
MountFlags=private
LockPersonality=yes
RestrictRealtime=yes
RestrictNamespaces=yes
RestrictSUIDSGID=yes
KeyringMode=private
# libpcre2 uses write/execute for JIT when --enable-jit is used (default in openSUSE/SLE)
MemoryDenyWriteExecute=no
RemoveIPC=yes
SystemCallArchitectures=native
SystemCallFilter=~ @clock @cpu-emulation @debug @keyring @module @mount @raw-io @reboot @swap @obsolete @privileged @pkey @setuid
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
UMask=0077

[Install]
WantedBy=multi-user.target
openSUSE Build Service is sponsored by