# /etc/systemd/system/drone.service
[Unit]
Description=Drone server
After=docker.service
Upholds=nginx.service docker.service

[Service]
Slice=drone.slice
Delegate=no
Restart=on-abnormal
RestartSec=15s

Environment=COMPOSE_FILE=/etc/drone/docker-compose.yml
ExecStartPre=/usr/bin/docker-compose -p drone -f /etc/drone/docker-compose.yml down
ExecStart=/usr/bin/docker-compose    -p drone -f /etc/drone/docker-compose.yml up --remove-orphans
ExecStop=/usr/bin/docker-compose     -p drone -f /etc/drone/docker-compose.yml stop

Nice=-14
IOSchedulingClass=1
IOSchedulingPriority=0

CapabilityBoundingSet=
CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_BOOT CAP_SYS_CHROOT CAP_AUDIT_*

SystemCallFilter=~memfd_create @reboot @swap @cpu-emulation @debug @module @clock @raw-io @obsolete
ProtectProc=invisible
ProcSubset=pid
ProtectHome=true
RestrictNamespaces=true
NoNewPrivileges=True
# SecureBits=noroot-locked
ProtectSystem=strict
PrivateTmp=true
PrivateDevices=true
PrivateUsers=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
LockPersonality=true
MemoryDenyWriteExecute=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictRealtime=true
RestrictSUIDSGID=true
SystemCallArchitectures=native

[Install]
WantedBy=multi-user.target

# vim: ft=systemd