WoodSmellParticle/ansible-infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(forgejo): new forgejo role

Browse source
This commit is contained in:
NaeiKinDus 2025-06-25 00:00:00 +00:00
parent cf657bcea0
commit 0ce3b20d45
Signed by: WoodSmellParticle
GPG key ID: 8E52ADFF7CA8AE56
16 changed files with 1210 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

57
ansible_collections/nullified/infrastructure/roles/forgejo/templates/systemd/forgejo.service.j2 Normal file
View file

@ -0,0 +1,57 @@
[Unit]
Description=Forgejo Git service
Documentation=https://forgejo.org
Wants=network-online.target
After=network-online.target
[Service]
User={{ forgejo_user }}
Group={{ forgejo_group }}
Type=simple
ExecStart={{ forgejo_binary_filepath }} web --config {{ forgejo_config_dir }}/app.ini
Restart=on-failure
RestartSec=3
TimeoutStartSec=infinity
TimeoutStopSec=infinity
WorkingDirectory={{ forgejo_install_dir }}
LimitNOFILE=524288:524288
Environment=USER={{ forgejo_user }} HOME={{ forgejo_home_dir }} FORGEJO_WORK_DIR={{ forgejo_home_dir }}
# Security Hardening
PrivateTmp=true
CapabilityBoundingSet=CAP_SYS_RESOURCE
{% if systemd_version | int >= 187 %}
NoNewPrivileges=true
SystemCallFilter=@system-service
{% endif %}
{%+ if systemd_version | int >= 209 %}SystemCallArchitectures=native{%- endif +%}
{% if systemd_version | int >= 214 %}
ProtectHome=true
ProtectSystem=true
{% endif %}
{% if systemd_version | int >= 231 %}
ReadOnlyPaths=/
ReadWritePaths={{ forgejo_config_dir }} {{ forgejo_install_dir }} {{ forgejo_home_dir }}
RestrictRealtime=true
{% endif %}
{% if systemd_version | int >= 232 %}
ProtectControlGroups=true
ProtectKernelModules=true
ProtectKernelTunables=true
RemoveIPC=true
{% endif %}
{% if systemd_version | int >= 233 %}
MountAPIVFS=true
RestrictNamespaces=ipc net mnt pid
{% endif %}
{%+ if systemd_version | int >= 235 %}LockPersonality=true{%- endif +%}
{% if systemd_version | int >= 242 %}
ProtectHostname=true
RestrictSUIDSGID=true
{% endif %}
{%+ if systemd_version | int >= 244 %}ProtectKernelLogs=true{%- endif +%}
{%+ if systemd_version | int >= 245 %}ProtectClock=true{%- endif +%}
{%+ if systemd_version | int >= 247 %}ProtectProc=invisible{%- endif +%}
[Install]
WantedBy=multi-user.target