]> git.openstreetmap.org Git - chef.git/blobdiff - cookbooks/gps-tile/recipes/default.rb
projects / chef.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Improve filesystem sandboxing for some services
[chef.git] / cookbooks / gps-tile / recipes / default.rb
diff --git a/cookbooks/gps-tile/recipes/default.rb b/cookbooks/gps-tile/recipes/default.rb
index f4db96412858f51cc9530bd1be535ae0a03c5180..bc4e4c6373da5bb7dc379014946871ffa198ce89 100644 (file)
--- a/cookbooks/gps-tile/recipes/default.rb
+++ b/cookbooks/gps-tile/recipes/default.rb
@@ -96,8 +96,9 @@ systemd_service "gps-update" do
   nice 10
   private_tmp true
   private_devices true
-  protect_system "full"
+  protect_system "strict"
   protect_home true
+  read_write_directories "/srv/gps-tile.openstreetmap.org"
   no_new_privileges true
   restart "on-failure"
 end
Chef configuration management public repo for configuring & maintaining the OpenStreetMap servers.