From f1a403d3877c4cb3abd8e789cd73fdc61602423a Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Sun, 24 Sep 2023 10:55:38 +0100
Subject: [PATCH 1/1] Fix access to AWS credentials for planet services

---
 cookbooks/planet/recipes/notes.rb       | 4 +++-
 cookbooks/planet/recipes/replication.rb | 3 ++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/cookbooks/planet/recipes/notes.rb b/cookbooks/planet/recipes/notes.rb
index f3c91a3e0..e63297081 100644
--- a/cookbooks/planet/recipes/notes.rb
+++ b/cookbooks/planet/recipes/notes.rb
@@ -57,7 +57,9 @@ systemd_service "planet-notes-dump" do
   exec_start "/usr/local/bin/planet-notes-dump"
   user "planet"
   sandbox :enable_network => true
-  read_write_paths ["/store/planet/notes", "/home/planet/.aws"]
+  protect_home "tmpfs"
+  bind_paths "/home/planet"
+  read_write_paths "/store/planet/notes"
 end
 
 systemd_timer "planet-notes-dump" do
diff --git a/cookbooks/planet/recipes/replication.rb b/cookbooks/planet/recipes/replication.rb
index 0a25ad959..e0a3bcc7e 100644
--- a/cookbooks/planet/recipes/replication.rb
+++ b/cookbooks/planet/recipes/replication.rb
@@ -207,8 +207,9 @@ systemd_service "replication-changesets" do
   user "planet"
   exec_start "/usr/local/bin/replicate-changesets /etc/replication/changesets.conf"
   sandbox :enable_network => true
+  protect_home "tmpfs"
+  bind_paths "/home/planet"
   read_write_paths [
-    "/home/planet/.aws",
     "/run/replication",
     "/store/planet/replication/changesets"
   ]
-- 
2.39.5