bundlewrap/bundles/woodpecker-agent/files/woodpecker-agent.service

43 lines
973 B
SYSTEMD
Raw Normal View History

2022-12-24 16:41:27 +00:00
[Unit]
Description=woodpecker ci agent
After=syslog.target
After=network.target
[Service]
RestartSec=2s
Type=simple
User=woodpecker
Group=woodpecker
WorkingDirectory=/var/lib/woodpecker
ExecStart=/usr/local/bin/woodpecker-agent
Restart=always
ReadWritePaths=/var/lib/woodpecker
CapabilityBoundingSet=
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
PrivateTmp=true
PrivateDevices=true
PrivateUsers=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
LockPersonality=true
MemoryDenyWriteExecute=true
RestrictRealtime=true
RestrictSUIDSGID=true
PrivateMounts=true
SystemCallArchitectures=native
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @setuid @swap
% for k, v in sorted(env.items()):
Environment=${k}=${v}
% endfor
[Install]
WantedBy=multi-user.target