renovate-bot/etc/systemd/system/renovate.service

[Unit]
Description=Renovate Bot service
Requires=network.target
Upholds=gitea.service docker.service

[Service]
Type=simple
Slice=renovate.slice

Environment=USER=renovate-bot
Environment=HOME=/home/renovate-bot
Environment=PATH=/home/renovate-bot/.npm-packages/bin:/bin:/bin

User=renovate-bot
Group=renovate-bot

ExecStartPre=/home/renovate-bot/.npm-packages/bin/renovate --version
ExecStart=/home/renovate-bot/bin/renovatepls
TimeoutSec=600
RestartSec=30s
Restart=on-failure

LogsDirectory=renovate-bot
StateDirectory=renovate-bot
WorkingDirectory=~

; schedule on idle
IOSchedulingClass=2
IOSchedulingPriority=7
Nice=11

InaccessiblePaths=-/lost+found
InaccessiblePaths=/dev/shm
# for a system-level unit %h is /root
InaccessiblePaths=%h
ReadOnlyPaths=/home/renovate-bot/bin
ReadWritePaths=/home/renovate-bot/.npm

NoNewPrivileges=True
ProtectSystem=strict
ProtectHome=read-only
ProtectProc=invisible
ProcSubset=pid

PrivateTmp=true
PrivateDevices=true
DevicePolicy=closed
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
LockPersonality=true
MemoryDenyWriteExecute=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictRealtime=true
RestrictSUIDSGID=true
SecureBits=noroot-locked
SystemCallArchitectures=native
SystemCallFilter=~memfd_create @mount @reboot @swap @privileged @resources @cpu-emulation @debug @clock @obsolete
RestrictNamespaces=uts ipc pid user
CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_BOOT CAP_SYS_CHROOT CAP_LINUX_IMMUTABLE CAP_AUDIT_*

[Install]
WantedBy=multi-user.target