community: container definitions should not be world readable

[chef.git] / cookbooks / blogs / recipes / default.rb

diff --git a/cookbooks/blogs/recipes/default.rb b/cookbooks/blogs/recipes/default.rb
index c4d425a5634151cecb93e54beb0169908c3feeae..6b181f2090714e70b1d461e4f45d2e61cf24dc20 100644 (file)
--- a/cookbooks/blogs/recipes/default.rb
+++ b/cookbooks/blogs/recipes/default.rb
@@ -82,12 +82,8 @@ systemd_service "blogs-update" do
   description "Update blog aggregator"
   exec_start "/usr/local/bin/blogs-update"
   user "blogs"
-  private_tmp true
-  private_devices true
-  protect_system "strict"
-  protect_home true
+  sandbox :enable_network => true
   read_write_paths "/srv/blogs.openstreetmap.org"
-  no_new_privileges true
 end
 
 systemd_timer "blogs-update" do