modules: services: woodpecker: allow setuid

I need it to be able to use `ssh-agent`, for some of my workflows.
2023-04-01 21:05:20 +02:00 · 2023-04-01 21:05:20 +02:00 · f15b3aa23d
parent 0da267664c
commit f15b3aa23d
1 changed files with 3 additions and 0 deletions
--- a/modules/services/woodpecker/agent-exec/default.nix
+++ b/modules/services/woodpecker/agent-exec/default.nix
@ -45,6 +45,9 @@ in
      ];

      serviceConfig = {
+        # Same option as upstream, without @setuid
+        SystemCallFilter = lib.mkForce "~@clock @privileged @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap";
+
        BindPaths = [
          "/nix/var/nix/daemon-socket/socket"
          "/run/nscd/socket"