From f0feb7c74ca2252ef2513da12fc85be9684a54b4 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 25 Sep 2024 19:18:15 +0200 Subject: Copy webmap-publish. We also replace persistent/shared RuntimeDirectory settings with directories defined as tmpfiles.d(5) entries. This gives more control over access control. We also change static compression from gzip to brotli on the HTTPd. --- files/etc/systemd/system/webmap-download@.service | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) (limited to 'files/etc/systemd/system/webmap-download@.service') diff --git a/files/etc/systemd/system/webmap-download@.service b/files/etc/systemd/system/webmap-download@.service index c0e826f..2c5a3e4 100644 --- a/files/etc/systemd/system/webmap-download@.service +++ b/files/etc/systemd/system/webmap-download@.service @@ -16,14 +16,11 @@ IOSchedulingClass=idle Type=oneshot ExecStart=/usr/local/bin/webmap-download \ --cachedir=/var/cache/webmap \ - --lockdir=%t/webmap-download \ + --lockdir=%t/lock/webmap/download \ --no-exit-code \ --quiet \ -- %I -RuntimeDirectory=webmap-download -RuntimeDirectoryPreserve=yes - # Hardening NoNewPrivileges=yes ProtectHome=yes @@ -34,6 +31,7 @@ ProtectKernelModules=yes ProtectKernelTunables=yes RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 ReadWritePaths=/var/cache/webmap +ReadWritePaths=%t/lock/webmap/download [Install] WantedBy=webmap-update@%i.target -- cgit v1.2.3