user "planet"
exec_start "/usr/local/bin/users-agreed"
nice 10
- private_tmp true
- private_devices true
- protect_system "full"
- protect_home true
- restrict_address_families %w[AF_INET AF_INET6]
- no_new_privileges true
+ sandbox :enable_network => true
+ read_write_paths "/store/planet/users_agreed"
end
systemd_timer "users-agreed" do
user "planet"
exec_start "/usr/local/bin/users-deleted"
nice 10
- private_tmp true
- private_devices true
- protect_system "full"
- protect_home true
- restrict_address_families %w[AF_INET AF_INET6]
- no_new_privileges true
+ sandbox :enable_network => true
+ read_write_paths "/store/planet/users_deleted"
end
systemd_timer "users-deleted" do
description "Changesets replication"
user "planet"
exec_start "/usr/local/bin/replicate-changesets /etc/replication/changesets.conf"
- private_tmp true
- private_devices true
- protect_system "full"
- protect_home true
- restrict_address_families %w[AF_INET AF_INET6]
- no_new_privileges true
+ sandbox :enable_network => true
+ read_write_paths [
+ "/run/replication",
+ "/store/planet/replication/changesets"
+ ]
end
systemd_timer "replication-changesets" do
user "planet"
working_directory "/etc/replication"
exec_start "/usr/local/bin/replicate-minute"
- private_tmp true
- private_devices true
- protect_system "full"
- protect_home true
- restrict_address_families %w[AF_INET AF_INET6]
- no_new_privileges true
+ sandbox :enable_network => true
+ read_write_paths [
+ "/run/replication",
+ "/store",
+ "/var/lib/replication/minute"
+ ]
end
systemd_timer "replication-minutely" do
user "planet"
exec_start "/usr/local/bin/osmosis -q --merge-replication-files workingDirectory=/var/lib/replication/hour"
environment "LD_PRELOAD" => "/opt/flush/flush.so"
- private_tmp true
- private_devices true
- protect_system "full"
- protect_home true
- restrict_address_families %w[AF_INET AF_INET6]
- no_new_privileges true
+ sandbox :enable_network => true
+ memory_deny_write_execute false
+ read_write_paths [
+ "/store/planet/replication/hour",
+ "/var/lib/replication/hour"
+ ]
end
systemd_timer "replication-hourly" do
- description "Daily replication"
+ description "Hourly replication"
on_calendar "*-*-* *:02/15:00"
end
user "planet"
exec_start "/usr/local/bin/osmosis -q --merge-replication-files workingDirectory=/var/lib/replication/day"
environment "LD_PRELOAD" => "/opt/flush/flush.so"
- private_tmp true
- private_devices true
- protect_system "full"
- protect_home true
- restrict_address_families %w[AF_INET AF_INET6]
- no_new_privileges true
+ sandbox :enable_network => true
+ memory_deny_write_execute false
+ read_write_paths [
+ "/store/planet/replication/day",
+ "/var/lib/replication/day"
+ ]
end
systemd_timer "replication-daily" do
description "Cleanup replication"
user "planet"
exec_start "/usr/local/bin/replicate-cleanup"
- private_tmp true
- private_devices true
- private_network true
- protect_system "full"
- protect_home true
- no_new_privileges true
+ sandbox true
+ read_write_paths "/var/lib/replication"
end
systemd_timer "replication-cleanup" do