Improve sandboxing of matomo archiver

[chef.git] / cookbooks / matomo / recipes / default.rb

diff --git a/cookbooks/matomo/recipes/default.rb b/cookbooks/matomo/recipes/default.rb
index a14a76954bb9f80411020ff09d645b5d129737a9..9cea5099d67a24f8cdda8462b682f505bdb79cf1 100644 (file)
--- a/cookbooks/matomo/recipes/default.rb
+++ b/cookbooks/matomo/recipes/default.rb
@@ -201,9 +201,10 @@ end
 
 systemd_service "matomo-archive" do
   description "Matomo report archiving"
 
 systemd_service "matomo-archive" do
   description "Matomo report archiving"

-  exec_start "/usr/bin/php /srv/matomo.openstreetmap.org/console core:archive --quiet --url=https://matomo.openstreetmap.org/"
+  exec_start "/usr/bin/php /srv/matomo.openstreetmap.org/console core:archive --url=https://matomo.openstreetmap.org/"

   user "www-data"
   sandbox true
   user "www-data"
   sandbox true

+  proc_subset "all"

   memory_deny_write_execute false
   restrict_address_families "AF_UNIX"
   read_write_paths "/opt/matomo-#{version}/matomo/tmp"
   memory_deny_write_execute false
   restrict_address_families "AF_UNIX"
   read_write_paths "/opt/matomo-#{version}/matomo/tmp"


@@ -211,7 +212,7 @@ end
 
 systemd_timer "matomo-archive" do
   description "Matomo report archiving"
 
 systemd_timer "matomo-archive" do
   description "Matomo report archiving"

-  on_calendar "00:05"
+  on_calendar "*:05"

 end
 
 service "matomo-archive.timer" do
 end
 
 service "matomo-archive.timer" do