[Unit]
Description=Gitea Actions Runner
After=network.target docker.service
Requires=docker.service

[Service]
Type=simple
User={{ runner_user }}
WorkingDirectory={{ runner_install_dir }}
ExecStart={{ runner_install_dir }}/act_runner daemon --config {{ runner_install_dir }}/.runner
Restart=always
RestartSec=10

# Security hardening
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths={{ runner_work_dir }}

# Resource limits
LimitNOFILE=65536
LimitNPROC=4096

[Install]
WantedBy=multi-user.target