Use default sandbox for planetdump

[chef.git] / cookbooks / planet / recipes / dump.rb

diff --git a/cookbooks/planet/recipes/dump.rb b/cookbooks/planet/recipes/dump.rb
index c7737bdb84a23576c70dfe1e9069e105409911e2..d565750119e8c6d2b24fed089e499d327b671bb4 100644 (file)
--- a/cookbooks/planet/recipes/dump.rb
+++ b/cookbooks/planet/recipes/dump.rb
@@ -115,10 +115,14 @@ systemd_service "planetdump@" do
   user "www-data"
   exec_start "/usr/local/bin/planetdump %i"
   memory_max "64G"
-  private_tmp true
-  protect_system "strict"
-  protect_home true
-  read_write_paths ["/var/log/exim4", "/var/spool/exim4"]
+  sandbox true
+  read_write_paths [
+    "/store/planetdump",
+    "/store/planet/pbf",
+    "/store/planet/planet",
+    "/var/log/exim4",
+    "/var/spool/exim4"
+  ]
 end
 
 cron_d "planet-dump-mirror" do