Use default sandbox for planetdump

[chef.git] / cookbooks / planet / recipes / dump.rb

diff --git a/cookbooks/planet/recipes/dump.rb b/cookbooks/planet/recipes/dump.rb
index 82e6f1cab85eaf3571728de3dbef93f0dc68380e..d565750119e8c6d2b24fed089e499d327b671bb4 100644 (file)
--- a/cookbooks/planet/recipes/dump.rb
+++ b/cookbooks/planet/recipes/dump.rb
@@ -61,7 +61,7 @@ end
 git "/opt/planet-dump-ng" do
   action :sync
   repository "https://github.com/zerebubuth/planet-dump-ng.git"
-  revision "v1.2.0"
+  revision "v1.2.6"
   depth 1
   user "root"
   group "root"
@@ -115,12 +115,14 @@ systemd_service "planetdump@" do
   user "www-data"
   exec_start "/usr/local/bin/planetdump %i"
   memory_max "64G"
-  private_tmp true
-  private_devices true
-  private_network true
-  protect_system "full"
-  protect_home true
-  no_new_privileges true
+  sandbox true
+  read_write_paths [
+    "/store/planetdump",
+    "/store/planet/pbf",
+    "/store/planet/planet",
+    "/var/log/exim4",
+    "/var/spool/exim4"
+  ]
 end
 
 cron_d "planet-dump-mirror" do