X-Git-Url: https://git.openstreetmap.org./chef.git/blobdiff_plain/ddd5881f47d2eaf1fd585d831bc787fa182def72..23d8f4f4043479c3cbd43239bc2ab2e20dd87eb8:/cookbooks/planet/recipes/replication.rb

diff --git a/cookbooks/planet/recipes/replication.rb b/cookbooks/planet/recipes/replication.rb
index a31f98288..e09bbcbe6 100644
--- a/cookbooks/planet/recipes/replication.rb
+++ b/cookbooks/planet/recipes/replication.rb
@@ -161,10 +161,12 @@ systemd_service "users-agreed" do
   description "Update list of users accepting CTs"
   user "planet"
   exec_start "/usr/local/bin/users-agreed"
+  nice 10
   private_tmp true
   private_devices true
-  protect_system "full"
+  protect_system "strict"
   protect_home true
+  read_write_paths "/store/planet/users_agreed"
   restrict_address_families %w[AF_INET AF_INET6]
   no_new_privileges true
 end
@@ -178,10 +180,12 @@ systemd_service "users-deleted" do
   description "Update list of deleted users"
   user "planet"
   exec_start "/usr/local/bin/users-deleted"
+  nice 10
   private_tmp true
   private_devices true
-  protect_system "full"
+  protect_system "strict"
   protect_home true
+  read_write_paths "/store/planet/users_deleted"
   restrict_address_families %w[AF_INET AF_INET6]
   no_new_privileges true
 end
@@ -213,8 +217,12 @@ systemd_service "replication-changesets" do
   exec_start "/usr/local/bin/replicate-changesets /etc/replication/changesets.conf"
   private_tmp true
   private_devices true
-  protect_system "full"
+  protect_system "strict"
   protect_home true
+  read_write_paths [
+    "/run/replication",
+    "/store/planet/replication/changesets"
+  ]
   restrict_address_families %w[AF_INET AF_INET6]
   no_new_privileges true
 end
@@ -274,8 +282,14 @@ systemd_service "replication-minutely" do
   exec_start "/usr/local/bin/replicate-minute"
   private_tmp true
   private_devices true
-  protect_system "full"
+  protect_system "strict"
   protect_home true
+  read_write_paths [
+    "/run/replication",
+    "/store/replication/minute",
+    "/store/planet/replication/minute",
+    "/var/lib/replication/minute"
+  ]
   restrict_address_families %w[AF_INET AF_INET6]
   no_new_privileges true
 end
@@ -320,8 +334,12 @@ systemd_service "replication-hourly" do
   environment "LD_PRELOAD" => "/opt/flush/flush.so"
   private_tmp true
   private_devices true
-  protect_system "full"
+  protect_system "strict"
   protect_home true
+  read_write_paths [
+    "/store/planet/replication/hour",
+    "/var/lib/replication/hour"
+  ]
   restrict_address_families %w[AF_INET AF_INET6]
   no_new_privileges true
 end
@@ -364,8 +382,12 @@ systemd_service "replication-daily" do
   environment "LD_PRELOAD" => "/opt/flush/flush.so"
   private_tmp true
   private_devices true
-  protect_system "full"
+  protect_system "strict"
   protect_home true
+  read_write_paths [
+    "/store/planet/replication/day",
+    "/var/lib/replication/day"
+  ]
   restrict_address_families %w[AF_INET AF_INET6]
   no_new_privileges true
 end
@@ -384,8 +406,9 @@ systemd_service "replication-cleanup" do
   private_tmp true
   private_devices true
   private_network true
-  protect_system "full"
+  protect_system "strict"
   protect_home true
+  read_write_paths "/var/lib/replication"
   no_new_privileges true
 end