bundles/woodpecker: try to get it working

bundles/woodpecker-server/files/woodpecker-server.service

@@ -9,8 +9,32 @@ RestartSec=2s
 Type=simple
 User=woodpecker
 Group=woodpecker
+WorkingDirectory=/var/lib/woodpecker
 ExecStart=/usr/local/bin/woodpecker-server
 Restart=always
+ReadWritePaths=/var/lib/woodpecker
+CapabilityBoundingSet=
+NoNewPrivileges=true
+ProtectSystem=strict
+ProtectHome=true
+PrivateTmp=true
+PrivateDevices=true
+PrivateUsers=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+LockPersonality=true
+MemoryDenyWriteExecute=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+PrivateMounts=true
+SystemCallArchitectures=native
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @setuid @swap
+
 % for k, v in sorted(env.items()):
 Environment=${k}=${v}
 % endfor