From: Tom Hughes <tom@compton.nu>
Date: Sun, 24 Sep 2023 09:55:38 +0000 (+0100)
Subject: Fix access to AWS credentials for planet services
X-Git-Url: https://git.openstreetmap.org./chef.git/commitdiff_plain/f1a403d3877c4cb3abd8e789cd73fdc61602423a?hp=eb2f07271931a87b9ba1104b0eec6240e7bf300b

Fix access to AWS credentials for planet services
---

diff --git a/cookbooks/planet/recipes/notes.rb b/cookbooks/planet/recipes/notes.rb
index f3c91a3e0..e63297081 100644
--- a/cookbooks/planet/recipes/notes.rb
+++ b/cookbooks/planet/recipes/notes.rb
@@ -57,7 +57,9 @@ systemd_service "planet-notes-dump" do
   exec_start "/usr/local/bin/planet-notes-dump"
   user "planet"
   sandbox :enable_network => true
-  read_write_paths ["/store/planet/notes", "/home/planet/.aws"]
+  protect_home "tmpfs"
+  bind_paths "/home/planet"
+  read_write_paths "/store/planet/notes"
 end
 
 systemd_timer "planet-notes-dump" do
diff --git a/cookbooks/planet/recipes/replication.rb b/cookbooks/planet/recipes/replication.rb
index 0a25ad959..e0a3bcc7e 100644
--- a/cookbooks/planet/recipes/replication.rb
+++ b/cookbooks/planet/recipes/replication.rb
@@ -207,8 +207,9 @@ systemd_service "replication-changesets" do
   user "planet"
   exec_start "/usr/local/bin/replicate-changesets /etc/replication/changesets.conf"
   sandbox :enable_network => true
+  protect_home "tmpfs"
+  bind_paths "/home/planet"
   read_write_paths [
-    "/home/planet/.aws",
     "/run/replication",
     "/store/planet/replication/changesets"
   ]