user "planet"
exec_start "/usr/local/bin/users-agreed"
nice 10
- private_tmp true
- private_devices true
- protect_system "strict"
- protect_home true
+ sandbox :enable_network => true
read_write_paths "/store/planet/users_agreed"
- restrict_address_families %w[AF_INET AF_INET6]
- no_new_privileges true
end
systemd_timer "users-agreed" do
user "planet"
exec_start "/usr/local/bin/users-deleted"
nice 10
- private_tmp true
- private_devices true
- protect_system "strict"
- protect_home true
+ sandbox :enable_network => true
read_write_paths "/store/planet/users_deleted"
- restrict_address_families %w[AF_INET AF_INET6]
- no_new_privileges true
end
systemd_timer "users-deleted" do
description "Changesets replication"
user "planet"
exec_start "/usr/local/bin/replicate-changesets /etc/replication/changesets.conf"
- private_tmp true
- private_devices true
- protect_system "strict"
- protect_home true
+ sandbox :enable_network => true
read_write_paths [
"/run/replication",
"/store/planet/replication/changesets"
]
- restrict_address_families %w[AF_INET AF_INET6]
- no_new_privileges true
end
systemd_timer "replication-changesets" do
user "planet"
working_directory "/etc/replication"
exec_start "/usr/local/bin/replicate-minute"
- private_tmp true
- private_devices true
- protect_system "strict"
- protect_home true
+ sandbox :enable_network => true
read_write_paths [
"/run/replication",
"/store",
"/var/lib/replication/minute"
]
- restrict_address_families %w[AF_INET AF_INET6]
- no_new_privileges true
end
systemd_timer "replication-minutely" do
user "planet"
exec_start "/usr/local/bin/osmosis -q --merge-replication-files workingDirectory=/var/lib/replication/hour"
environment "LD_PRELOAD" => "/opt/flush/flush.so"
- private_tmp true
- private_devices true
- protect_system "strict"
- protect_home true
+ sandbox :enable_network => true
+ memory_deny_write_execute false
read_write_paths [
"/store/planet/replication/hour",
"/var/lib/replication/hour"
]
- restrict_address_families %w[AF_INET AF_INET6]
- no_new_privileges true
end
systemd_timer "replication-hourly" do
user "planet"
exec_start "/usr/local/bin/osmosis -q --merge-replication-files workingDirectory=/var/lib/replication/day"
environment "LD_PRELOAD" => "/opt/flush/flush.so"
- private_tmp true
- private_devices true
- protect_system "strict"
- protect_home true
+ sandbox :enable_network => true
+ memory_deny_write_execute false
read_write_paths [
"/store/planet/replication/day",
"/var/lib/replication/day"
]
- restrict_address_families %w[AF_INET AF_INET6]
- no_new_privileges true
end
systemd_timer "replication-daily" do
description "Cleanup replication"
user "planet"
exec_start "/usr/local/bin/replicate-cleanup"
- private_tmp true
- private_devices true
- private_network true
- protect_system "strict"
- protect_home true
+ sandbox true
read_write_paths "/var/lib/replication"
- no_new_privileges true
end
systemd_timer "replication-cleanup" do