Modernise some older systemd services

[chef.git] / cookbooks / tile / recipes / default.rb

diff --git a/cookbooks/tile/recipes/default.rb b/cookbooks/tile/recipes/default.rb
index 2e19e9b0ed25955ee947f6be9d79467c70523d28..7d75087c9552a2138462fd3b48d015963a347fd5 100644 (file)
--- a/cookbooks/tile/recipes/default.rb
+++ b/cookbooks/tile/recipes/default.rb
@@ -76,11 +76,13 @@ systemd_service "renderd" do
   private_network true
   protect_system "full"
   protect_home true
+  no_new_privileges true
   restart "on-failure"
 end
 
 service "renderd" do
   action [:enable, :start]
+  subscribes :restart, "systemd_service[renderd]"
 end
 
 directory "/srv/tile.openstreetmap.org/tiles" do
@@ -468,6 +470,7 @@ systemd_service "replicate" do
   private_devices true
   protect_system "full"
   protect_home true
+  no_new_privileges true
   restart "on-failure"
 end