X-Git-Url: https://git.openstreetmap.org./chef.git/blobdiff_plain/7108c794e6ce1a3ea78f3ac6ff8fd7ea3bdc62a3..922630d7504ed1a3fae8da5d253a917a30e72cdb:/cookbooks/geodns/recipes/default.rb

diff --git a/cookbooks/geodns/recipes/default.rb b/cookbooks/geodns/recipes/default.rb
index c006ff9dc..90ae979be 100644
--- a/cookbooks/geodns/recipes/default.rb
+++ b/cookbooks/geodns/recipes/default.rb
@@ -27,6 +27,10 @@ package %w[
   gdnsd
 ]
 
+link "/etc/gdnsd/geoip/GeoLite2-Country.mmdb" do
+  to "#{node[:geoipupdate][:directory]}/GeoLite2-Country.mmdb"
+end
+
 directory "/etc/gdnsd/config.d" do
   owner "nobody"
   group "nogroup"
@@ -74,11 +78,8 @@ systemd_service "gdnsd-reload" do
   user "root"
   exec_start "/bin/systemctl reload-or-restart gdnsd"
   standard_output "null"
-  private_tmp true
-  private_devices true
-  protect_system "full"
-  protect_home true
-  no_new_privileges true
+  sandbox true
+  restrict_address_families "AF_UNIX"
 end
 
 systemd_path "gdnsd-reload" do
@@ -93,16 +94,14 @@ end
 
 firewall_rule "accept-dns-udp" do
   action :accept
-  source "net"
-  dest "fw"
-  proto "udp"
+  context :incoming
+  protocol :udp
   dest_ports "domain"
 end
 
 firewall_rule "accept-dns-tcp" do
   action :accept
-  source "net"
-  dest "fw"
-  proto "tcp:syn"
+  context :incoming
+  protocol :tcp
   dest_ports "domain"
 end