Emi Matchu
a9db85d7c8
Oh right, I dealt with this a few months ago too: I got a notice from Let's Encrypt that our code.openneo.net SSL certificate was going to expire soon. And last time, restarting the Forgejo service fixed it and got a new certificate issued immediately! My inference is that the logic to check on the certificate status only happens on startup. So, let's add code to the service file to ensure that Forgejo will terminate after 7 days of runtime; and the `Restart=always` setting will ensure that it comes immediately back up.
91 lines
2.7 KiB
Desktop File
91 lines
2.7 KiB
Desktop File
# Adapted from https://codeberg.org/forgejo/forgejo/raw/branch/forgejo/contrib/systemd/forgejo.service
|
|
|
|
[Unit]
|
|
Description=Forgejo (Beyond coding. We forge.)
|
|
After=syslog.target
|
|
After=network.target
|
|
###
|
|
# Don't forget to add the database service dependencies
|
|
###
|
|
#
|
|
#Wants=mysql.service
|
|
#After=mysql.service
|
|
#
|
|
#Wants=mariadb.service
|
|
#After=mariadb.service
|
|
#
|
|
#Wants=postgresql.service
|
|
#After=postgresql.service
|
|
#
|
|
#Wants=memcached.service
|
|
#After=memcached.service
|
|
#
|
|
#Wants=redis.service
|
|
#After=redis.service
|
|
#
|
|
###
|
|
# If using socket activation for main http/s
|
|
###
|
|
#
|
|
#After=forgejo.main.socket
|
|
#Requires=forgejo.main.socket
|
|
#
|
|
###
|
|
# (You can also provide forgejo an http fallback and/or ssh socket too)
|
|
#
|
|
# An example of /etc/systemd/system/forgejo.main.socket
|
|
###
|
|
##
|
|
## [Unit]
|
|
## Description=Forgejo Web Socket
|
|
## PartOf=forgejo.service
|
|
##
|
|
## [Socket]
|
|
## Service=forgejo.service
|
|
## ListenStream=<some_port>
|
|
## NoDelay=true
|
|
##
|
|
## [Install]
|
|
## WantedBy=sockets.target
|
|
##
|
|
###
|
|
|
|
[Service]
|
|
# NOTE: I found that Let's Encrypt certificates only renew when the service
|
|
# starts, so let's make sure we're restarting every so often.
|
|
RuntimeMaxSec=7d
|
|
# Uncomment the next line if you have repos with lots of files and get a HTTP 500 error because of that
|
|
# LimitNOFILE=524288:524288
|
|
RestartSec=2s
|
|
Type=simple
|
|
User=git
|
|
Group=git
|
|
WorkingDirectory=/var/lib/forgejo/
|
|
# If using Unix socket: tells systemd to create the /run/forgejo folder, which will contain the forgejo.sock file
|
|
# (manually creating /run/forgejo doesn't work, because it would not persist across reboots)
|
|
#RuntimeDirectory=forgejo
|
|
ExecStart=/usr/local/bin/forgejo web --config /etc/forgejo/app.ini
|
|
Restart=always
|
|
Environment=USER=git HOME=/home/git GITEA_WORK_DIR=/var/lib/forgejo
|
|
# If you install Git to directory prefix other than default PATH (which happens
|
|
# for example if you install other versions of Git side-to-side with
|
|
# distribution version), uncomment below line and add that prefix to PATH
|
|
# Don't forget to place git-lfs binary on the PATH below if you want to enable
|
|
# Git LFS support
|
|
#Environment=PATH=/path/to/git/bin:/bin:/sbin:/usr/bin:/usr/sbin
|
|
# If you want to bind Forgejo to a port below 1024, uncomment
|
|
# the two values below, or use socket activation to pass Forgejo its ports as above
|
|
###
|
|
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
|
|
AmbientCapabilities=CAP_NET_BIND_SERVICE
|
|
###
|
|
# In some cases, when using CapabilityBoundingSet and AmbientCapabilities option, you may want to
|
|
# set the following value to false to allow capabilities to be applied on Forgejo process. The following
|
|
# value if set to true sandboxes Forgejo service and prevent any processes from running with privileges
|
|
# in the host user namespace.
|
|
###
|
|
#PrivateUsers=false
|
|
###
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|