From 0bf6d143b646c0e95dcead057a2782890c0c10ef Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Mon, 14 Nov 2022 22:48:50 +0000
Subject: [PATCH] Use default sandboxing for the gps-update service

---
 cookbooks/gps-tile/recipes/default.rb | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/cookbooks/gps-tile/recipes/default.rb b/cookbooks/gps-tile/recipes/default.rb
index f82327c9f..d71d04ade 100644
--- a/cookbooks/gps-tile/recipes/default.rb
+++ b/cookbooks/gps-tile/recipes/default.rb
@@ -94,12 +94,8 @@ systemd_service "gps-update" do
   working_directory "/srv/gps-tile.openstreetmap.org"
   exec_start "/srv/gps-tile.openstreetmap.org/updater/update"
   nice 10
-  private_tmp true
-  private_devices true
-  protect_system "strict"
-  protect_home true
+  sandbox :enable_network => true
   read_write_paths "/srv/gps-tile.openstreetmap.org"
-  no_new_privileges true
   restart "on-failure"
 end
 
-- 
2.43.2