[Unit]
Description=GitKS - gRPC Git Bare Repository Operations Service
Documentation=https://github.com/example/gitks
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
User=gitks
Group=gitks

# Environment
EnvironmentFile=/etc/gitks/gitks.env

# Runtime directories
RuntimeDirectory=gitks
StateDirectory=gitks
WorkingDirectory=/var/lib/gitks

# Executable (assumes installed to /usr/local/bin/gitks)
ExecStart=/usr/local/bin/gitks

# Restart policy
Restart=on-failure
RestartSec=5s

# Graceful shutdown — send SIGTERM, wait, then SIGKILL
KillMode=mixed
KillSignal=SIGTERM
TimeoutStopSec=30s

# Sandbox hardening
NoNewPrivileges=yes
PrivateTmp=yes
ProtectSystem=strict
ProtectHome=yes
ReadWritePaths=/var/lib/gitks /data/repos
ReadOnlyPaths=/etc/gitks
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectControlGroups=yes
RestrictRealtime=yes
RestrictNamespaces=yes
LockPersonality=yes
MemoryDenyWriteExecute=no
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
SystemCallFilter=@system-service
SystemCallErrorNumber=EPERM

# Logging to journald
StandardOutput=journal
StandardError=journal
SyslogIdentifier=gitks

# Limit file descriptors (git may open many files)
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target