# =============================================================================
# Gitea Act Runner - Systemd Service Unit
# =============================================================================
# Managed by Ansible - DO NOT EDIT MANUALLY
#
# Common commands:
#   systemctl status act_runner    - Check service status
#   systemctl restart act_runner   - Restart the service
#   journalctl -u act_runner -f    - Follow service logs
#
# See: https://www.freedesktop.org/software/systemd/man/latest/systemd.service.html
# =============================================================================

[Unit]
# Human-readable description
Description=Gitea Actions runner

# Documentation link
Documentation=https://gitea.com/gitea/act_runner

# Start after Docker and network are available
After=docker.service network-online.target

# Request network-online.target to be started
Wants=network-online.target

[Service]
# Simple type: process runs in foreground
Type=simple

# Main command
ExecStart={{ act_runner_bin_path }} daemon --config {{ act_runner_config_dir }}/config.yaml

# Reload command (sends HUP signal)
ExecReload=/bin/kill -s HUP $MAINPID

# Working directory
WorkingDirectory={{ act_runner_home }}

# No timeout for start/stop (jobs may take long)
TimeoutSec=0

# Wait before restarting after failure
RestartSec=10

# Always restart on any exit
Restart=always

# Run as unprivileged user
User={{ act_runner_user }}
Group={{ act_runner_group }}

# ---------------------------------------------------------------------------
# Security Hardening
# ---------------------------------------------------------------------------

# No new privileges via setuid/setgid
NoNewPrivileges=true

# Make /usr, /boot, /efi read-only
ProtectSystem=strict

# Allow writes only to these paths
ReadWritePaths={{ act_runner_home }} {{ act_runner_config_dir }}

# Private /tmp directory
PrivateTmp=true

[Install]
# Start on normal boot
WantedBy=multi-user.target