From: Tom Hughes <tom@compton.nu>
Date: Wed, 9 Nov 2022 20:26:16 +0000 (+0000)
Subject: Use default sandboxing for the blogs-update service
X-Git-Url: https://git.openstreetmap.org/chef.git/commitdiff_plain/a406b373ee9a85b2f79e187b582379326b7b70d2

Use default sandboxing for the blogs-update service
---

diff --git a/cookbooks/blogs/recipes/default.rb b/cookbooks/blogs/recipes/default.rb
index c4d425a56..6b181f209 100644
--- a/cookbooks/blogs/recipes/default.rb
+++ b/cookbooks/blogs/recipes/default.rb
@@ -82,12 +82,8 @@ systemd_service "blogs-update" do
   description "Update blog aggregator"
   exec_start "/usr/local/bin/blogs-update"
   user "blogs"
-  private_tmp true
-  private_devices true
-  protect_system "strict"
-  protect_home true
+  sandbox :enable_network => true
   read_write_paths "/srv/blogs.openstreetmap.org"
-  no_new_privileges true
 end
 
 systemd_timer "blogs-update" do