From 8662d9084e3b7e832050c55d48a0ecc37ea3bb35 Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Thu, 3 Nov 2022 13:59:04 +0000
Subject: [PATCH] Drop private_devices for OTRS and planetdump that use exim

---
 cookbooks/otrs/recipes/default.rb | 5 ++---
 cookbooks/planet/recipes/dump.rb  | 5 ++---
 2 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/cookbooks/otrs/recipes/default.rb b/cookbooks/otrs/recipes/default.rb
index d124bf43a..0b391a62c 100644
--- a/cookbooks/otrs/recipes/default.rb
+++ b/cookbooks/otrs/recipes/default.rb
@@ -119,10 +119,9 @@ systemd_service "otrs" do
   group "otrs"
   exec_start "/opt/otrs/bin/otrs.Daemon.pl start"
   private_tmp true
-  private_devices true
-  protect_system "full"
+  protect_system "strict"
   protect_home true
-  read_write_paths "/var/log/exim4"
+  read_write_paths ["/opt/otrs-#{version}/var", "/var/log/exim4", "/var/spool/exim4"]
 end
 
 service "otrs" do
diff --git a/cookbooks/planet/recipes/dump.rb b/cookbooks/planet/recipes/dump.rb
index fdc9c7c46..c7737bdb8 100644
--- a/cookbooks/planet/recipes/dump.rb
+++ b/cookbooks/planet/recipes/dump.rb
@@ -116,10 +116,9 @@ systemd_service "planetdump@" do
   exec_start "/usr/local/bin/planetdump %i"
   memory_max "64G"
   private_tmp true
-  private_devices true
-  protect_system "full"
+  protect_system "strict"
   protect_home true
-  read_write_paths "/var/log/exim4"
+  read_write_paths ["/var/log/exim4", "/var/spool/exim4"]
 end
 
 cron_d "planet-dump-mirror" do
-- 
2.45.2