bundles/woodpecker-server/files/woodpecker-server.service

@@ -9,8 +9,32 @@ RestartSec=2s
 Type=simple
 User=woodpecker
 Group=woodpecker
+WorkingDirectory=/var/lib/woodpecker
 ExecStart=/usr/local/bin/woodpecker-server
 Restart=always
+ReadWritePaths=/var/lib/woodpecker
+CapabilityBoundingSet=
+NoNewPrivileges=true
+ProtectSystem=strict
+ProtectHome=true
+PrivateTmp=true
+PrivateDevices=true
+PrivateUsers=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+LockPersonality=true
+MemoryDenyWriteExecute=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+PrivateMounts=true
+SystemCallArchitectures=native
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @setuid @swap
+
 % for k, v in sorted(env.items()):
 Environment=${k}=${v}
 % endfor

bundles/woodpecker-server/items.py

@@ -1,5 +1,9 @@
 version = node.metadata.get('woodpecker-server/version')
 
+directories['/var/lib/woodpecker'] = {
+    'owner': 'woodpecker',
+}
+
 actions['install_woodpecker-server'] = {
     'command': ' && '.join([
         f'wget -q -O/tmp/woodpecker-server.deb https://github.com/woodpecker-ci/woodpecker/releases/download/v{version}/woodpecker-server_{version}_amd64.deb',
@@ -32,4 +36,6 @@ svc_systemd['woodpecker-server'] = {
     },
 }
 
-users['woodpecker'] = {}
+users['woodpecker'] = {
+    'home': '/var/lib/woodpecker',
+}