From a406b373ee9a85b2f79e187b582379326b7b70d2 Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Wed, 9 Nov 2022 20:26:16 +0000
Subject: [PATCH] Use default sandboxing for the blogs-update service

---
 cookbooks/blogs/recipes/default.rb | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/cookbooks/blogs/recipes/default.rb b/cookbooks/blogs/recipes/default.rb
index c4d425a56..6b181f209 100644
--- a/cookbooks/blogs/recipes/default.rb
+++ b/cookbooks/blogs/recipes/default.rb
@@ -82,12 +82,8 @@ systemd_service "blogs-update" do
   description "Update blog aggregator"
   exec_start "/usr/local/bin/blogs-update"
   user "blogs"
-  private_tmp true
-  private_devices true
-  protect_system "strict"
-  protect_home true
+  sandbox :enable_network => true
   read_write_paths "/srv/blogs.openstreetmap.org"
-  no_new_privileges true
 end
 
 systemd_timer "blogs-update" do
-- 
2.39.5