2 files changed, 51 insertions, 0 deletions

diff --git a/files/usr/share/doc/forgejo/app.ini.example b/files/usr/share/doc/forgejo/app.ini.example
index 77263f6..b5265e1 100644
--- a/files/usr/share/doc/forgejo/app.ini.example
+++ b/files/usr/share/doc/forgejo/app.ini.example
@@ -1,3 +1,4 @@
+; vim:syntax=dosini
 ; This file lists the default values used by Forgejo
 ;; Copy required sections to your own app.ini (default is custom/conf/app.ini)
 ;; and modify as needed.
diff --git a/files/usr/share/doc/forgejo/forgejo.service.example b/files/usr/share/doc/forgejo/forgejo.service.example
new file mode 100644
index 0000000..c8f2805
--- /dev/null
+++ b/files/usr/share/doc/forgejo/forgejo.service.example
@@ -0,0 +1,50 @@
+# vim:syntax=systemd
+[Unit]
+Description=Forgejo
+After=network.target
+After=mysqld.service
+After=postgresql.service
+After=memcached.service
+After=redis.service
+
+[Service]
+User=forgejo
+Group=forgejo
+Type=simple
+WorkingDirectory=~
+RuntimeDirectory=forgejo
+LogsDirectory=forgejo
+StateDirectory=forgejo
+ExecStart=/usr/bin/forgejo web -c /etc/forgejo/app.ini
+Restart=always
+RestartSec=2s
+ReadWritePaths=/etc/forgejo/app.ini
+AmbientCapabilities=
+CapabilityBoundingSet=
+LockPersonality=true
+#Required by commit search
+#MemoryDenyWriteExecute=true
+NoNewPrivileges=True
+#SecureBits=noroot-locked
+PrivateDevices=true
+PrivateTmp=true
+PrivateUsers=true
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=invisible
+ProtectSystem=strict
+RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
+
+[Install]
+WantedBy=multi-user.target