e73341f126
- move permissions of the log dir and the data dir
from forgejo:forgejo u=rwX,g=rwX,o=
to forgejo:forgejo u=rwX,g=rX,o=
- update apparmor profile to a profile that is less broad.
- create all directories before actually installing files
- make the HOME dir in the service file the same as the user
- migrate existing authorized keys files
from %{_datadir}/%{name}/.ssh/authorized_keys
to %{_sharedstatedir}/%{name}/data/home/.ssh/authorized_keys
- fix file list to lock down permissions more
- don't require the apparmor subpackage when apparmor is installed
the current profile is rather bad and it should be possible to
keep it out.
- user should actually use /var/lib/forgejo/data/home
OBS-URL: https://build.opensuse.org/request/show/1251907
OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=53
34 lines
930 B
Desktop File
34 lines
930 B
Desktop File
[Unit]
|
|
Description=Forgejo (Beyond coding. We forge.)
|
|
After=network.target
|
|
|
|
[Service]
|
|
# Uncomment the next line if you have repos with lots of files and get a HTTP 500 error because of that
|
|
# LimitNOFILE=524288:524288
|
|
RestartSec=2s
|
|
Type=simple
|
|
User=forgejo
|
|
Group=forgejo
|
|
WorkingDirectory=/var/lib/forgejo/
|
|
ExecStart=/usr/bin/forgejo web --config /etc/forgejo/conf/app.ini
|
|
Restart=always
|
|
Environment=USER=forgejo
|
|
Environment=HOME=/var/lib/forgejo/data/home
|
|
Environment=GITEA_WORK_DIR=/var/lib/forgejo
|
|
Environment=GITEA_CUSTOM=/etc/forgejo
|
|
# added automatically, for details please see
|
|
# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
|
|
ProtectHome=true
|
|
PrivateDevices=true
|
|
ProtectHostname=true
|
|
ProtectClock=true
|
|
ProtectKernelTunables=true
|
|
ProtectKernelModules=true
|
|
ProtectKernelLogs=true
|
|
ProtectControlGroups=true
|
|
RestrictRealtime=true
|
|
# end of automatic additions
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|