[Unit]
Description=Git fsck for gitolite instance %i

[Service]
Type=oneshot
ExecStart={{ gitolite_base_path }}/git-fsck.sh %i
TimeoutStartSec=10m

# systemd hardening-options
AmbientCapabilities=CAP_DAC_READ_SEARCH
CapabilityBoundingSet=CAP_DAC_READ_SEARCH
DeviceAllow=/dev/null rw
DevicePolicy=strict
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProtectControlGroups=true
ProtectHome=yes
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=strict
ReadWritePaths=/var/lib/prometheus-node-exporter/textfile-collector
RemoveIPC=true
RestrictNamespaces=true
RestrictRealtime=true
RestrictAddressFamilies=AF_UNIX
SystemCallArchitectures=native