[Unit] Description=woodpecker ci agent After=syslog.target After=network.target [Service] RestartSec=2s Type=simple User=woodpecker Group=woodpecker WorkingDirectory=/var/lib/woodpecker ExecStart=/usr/local/bin/woodpecker-agent Restart=always ReadWritePaths=/var/lib/woodpecker CapabilityBoundingSet= NoNewPrivileges=true ProtectSystem=strict ProtectHome=true PrivateTmp=true PrivateDevices=true PrivateUsers=true ProtectHostname=true ProtectClock=true ProtectKernelTunables=true ProtectKernelModules=true ProtectKernelLogs=true ProtectControlGroups=true RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 LockPersonality=true MemoryDenyWriteExecute=true RestrictRealtime=true RestrictSUIDSGID=true PrivateMounts=true SystemCallArchitectures=native SystemCallFilter=~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @setuid @swap % for k, v in sorted(env.items()): Environment=${k}=${v} % endfor [Install] WantedBy=multi-user.target