surtur
e00b7256af
...thanks to gpg no longer needing to write lock files or cache to user's home folder. that has been achieved by supplying the following flags to the key export command: '--lock-never --no-symkey-cache --disable-dirmngr'
67 lines
1.6 KiB
SYSTEMD
67 lines
1.6 KiB
SYSTEMD
[Unit]
|
|
Description=Renovate Bot service
|
|
Requires=network.target
|
|
Upholds=gitea.service docker.service
|
|
|
|
[Service]
|
|
Type=simple
|
|
Slice=renovate.slice
|
|
|
|
Environment=USER=renovate-bot
|
|
Environment=HOME=/home/renovate-bot
|
|
Environment=PATH=/home/renovate-bot/.npm-packages/bin:/bin:/bin
|
|
|
|
User=renovate-bot
|
|
Group=renovate-bot
|
|
|
|
ExecStartPre=/home/renovate-bot/.npm-packages/bin/renovate --version
|
|
ExecStart=/home/renovate-bot/bin/renovatepls
|
|
TimeoutSec=600
|
|
RestartSec=30s
|
|
Restart=on-failure
|
|
|
|
LogsDirectory=renovate-bot
|
|
StateDirectory=renovate-bot
|
|
WorkingDirectory=~
|
|
|
|
; schedule on idle
|
|
IOSchedulingClass=2
|
|
IOSchedulingPriority=7
|
|
Nice=11
|
|
|
|
InaccessiblePaths=-/lost+found
|
|
InaccessiblePaths=/dev/shm
|
|
# for a system-level unit %h is /root
|
|
InaccessiblePaths=%h
|
|
ReadOnlyPaths=/home/renovate-bot/bin
|
|
ReadWritePaths=/home/renovate-bot/.npm
|
|
|
|
NoNewPrivileges=True
|
|
ProtectSystem=strict
|
|
ProtectHome=read-only
|
|
ProtectProc=invisible
|
|
ProcSubset=pid
|
|
|
|
PrivateTmp=true
|
|
PrivateDevices=true
|
|
DevicePolicy=closed
|
|
ProtectHostname=true
|
|
ProtectClock=true
|
|
ProtectKernelTunables=true
|
|
ProtectKernelModules=true
|
|
ProtectKernelLogs=true
|
|
ProtectControlGroups=true
|
|
LockPersonality=true
|
|
MemoryDenyWriteExecute=true
|
|
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
|
RestrictRealtime=true
|
|
RestrictSUIDSGID=true
|
|
SecureBits=noroot-locked
|
|
SystemCallArchitectures=native
|
|
SystemCallFilter=~memfd_create @mount @reboot @swap @privileged @resources @cpu-emulation @debug @clock @obsolete
|
|
RestrictNamespaces=uts ipc pid user
|
|
CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_BOOT CAP_SYS_CHROOT CAP_LINUX_IMMUTABLE CAP_AUDIT_*
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|