bundlewrap/bundles/woodpecker-server/files/woodpecker-server.service

44 lines
996 B
SYSTEMD
Raw Normal View History

2022-12-22 18:02:52 +00:00
[Unit]
Description=woodpecker ci
After=syslog.target
After=network.target
Requires=postgresql.service
[Service]
RestartSec=2s
Type=simple
User=woodpecker
Group=woodpecker
WorkingDirectory=/var/lib/woodpecker
2022-12-22 18:02:52 +00:00
ExecStart=/usr/local/bin/woodpecker-server
Restart=always
ReadWritePaths=/var/lib/woodpecker
CapabilityBoundingSet=
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
PrivateTmp=true
PrivateDevices=true
PrivateUsers=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
LockPersonality=true
MemoryDenyWriteExecute=true
RestrictRealtime=true
RestrictSUIDSGID=true
PrivateMounts=true
SystemCallArchitectures=native
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @setuid @swap
2022-12-22 18:02:52 +00:00
% for k, v in sorted(env.items()):
Environment=${k}=${v}
% endfor
[Install]
WantedBy=multi-user.target