# /etc/systemd/system/drone.service
[Unit]
Description=Drone server
After=docker.service nginx.service

[Service]
Slice=drone.slice
Delegate=yes
Restart=always
RestartSec=5
ExecStart=/usr/bin/docker-compose -p drone -f /etc/drone/docker-compose.yml up
ExecStop=/usr/bin/docker-compose -p drone -f /etc/drone/docker-compose.yml stop

Nice=-14
IOSchedulingClass=1
IOSchedulingPriority=0

CapabilityBoundingSet=
# ProtectProc=invisible
ProtectHome=true
RestrictNamespaces=uts ipc pid user cgroup
NoNewPrivileges=True
# SecureBits=noroot-locked
ProtectSystem=strict
PrivateTmp=true
PrivateDevices=true
PrivateUsers=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
LockPersonality=true
MemoryDenyWriteExecute=true
RestrictRealtime=true
RestrictSUIDSGID=true
# SystemCallFilter=~memfd_create
SystemCallArchitectures=native

[Install]
WantedBy=multi-user.target

# vim: ft=systemd