[Unit]
Description=git daemon
Documentation=man:git-daemon(1)

[Service]
ExecStart=/usr/bin/git daemon --inetd --verbose --export-all --enable=upload-archive --base-path=/srv/git
StandardInput=socket
StandardOutput=socket
StandardError=journal
User=nobody

# sandboxing options, see systemd.exec(5)
NoNewPrivileges=yes
PrivateNetwork=yes
PrivateDevices=yes
PrivateTmp=yes
ProtectHome=yes
ReadOnlyDirectories=/
SystemCallArchitectures=native
RestrictRealtime=yes
ProtectControlGroups=yes
ProtectKernelModules=yes