- private_tmp true
- protect_system "strict"
- protect_home true
- read_write_paths ["/var/log/exim4", "/var/spool/exim4"]
+ sandbox true
+ read_write_paths [
+ "/store/planetdump",
+ "/store/planet/pbf",
+ "/store/planet/planet",
+ "/var/log/exim4",
+ "/var/spool/exim4"
+ ]
+end
+
+systemd_service "planetdump-trigger" do
+ description "Planet dump trigger"
+ user "root"
+ exec_start "/usr/local/bin/planetdump-trigger"
+ sandbox true
+ restrict_address_families "AF_UNIX"
+end
+
+service "planetdump-trigger" do
+ action [:enable, :start]
+ subscribes :restart, "template[/usr/local/bin/planetdump-trigger]"