[Unit]
Description=Go Git Service (chroot)
After=network.target remote-fs.target nss-lookup.target mysql-admin.service
PartOf=chr-git.target

[Service]
Type=simple
RootDirectory=/chroot/git
RootDirectoryStartOnly=no

User=gogs
Group=gogs

Environment=USER=gogs HOME=/home/gogs PORT=6000
WorkingDirectory=/opt/gogs
ExecStart=/opt/gogs/gogs web
ExecStartPost=/bin/bash -c 'echo $MAINPID > /run/gogs/gogs.pid'
PIDFile=/chroot/git/run/gogs/gogs.pid
Restart=always
StandardOutput=syslog
StandardError=syslog
#SyslogIdentifier=1

Restart=always

#LimitMEMLOCK=infinity
#LimitNOFILE=65535


PrivateTmp=true
MountAPIVFS=true
NoNewPrivileges=true
PrivateDevices=true
DevicePolicy=closed
ProtectSystem=full
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectProc=invisible
ProcSubset=pid
ProtectControlGroups=true
ProtectClock=true
#ProtectHome=true
#RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
#CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_DAC_READ_SEARCH
#RestrictNamespaces=uts ipc pid user cgroup
#RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
#MemoryDenyWriteExecute=yes
#LockPersonality=yes
#ReadOnlyPaths=/bin /sbin /lib /lib64 /usr /boot /etc
ReadOnlyPaths=/chroot/git
ReadWritePaths=/chroot/git/srv/repo
ReadWritePaths=/chroot/git/home/gogs
ReadWritePaths=/chroot/git/opt/gogs/data
ReadWritePaths=/chroot/git/var/log/gogs
ReadWritePaths=/chroot/git/run
InaccessiblePaths=/chroot/git/boot /chroot/git/sys /chroot/git/proc

# run
BindPaths=/chroot/git/run:/run:norbind
# log, systemd notify
BindPaths=/run/systemd/notify:/run/systemd/notify:norbind /run/systemd/journal/dev-log:/run/systemd/journal/dev-log:norbind
# admin mysql
BindPaths=-/chroot/admin/run/mysqld:/run/mysqld:norbind


[Install]
#WantedBy=multi-user.target
WantedBy=chr-git.target