From f0feb7c74ca2252ef2513da12fc85be9684a54b4 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Wed, 25 Sep 2024 19:18:15 +0200
Subject: Copy webmap-publish.

We also replace persistent/shared RuntimeDirectory settings with
directories defined as tmpfiles.d(5) entries.  This gives more control
over access control.

We also change static compression from gzip to brotli on the HTTPd.
---
 files/etc/systemd/system/webmap-download@.service | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

(limited to 'files/etc/systemd/system/webmap-download@.service')

diff --git a/files/etc/systemd/system/webmap-download@.service b/files/etc/systemd/system/webmap-download@.service
index c0e826f..2c5a3e4 100644
--- a/files/etc/systemd/system/webmap-download@.service
+++ b/files/etc/systemd/system/webmap-download@.service
@@ -16,14 +16,11 @@ IOSchedulingClass=idle
 Type=oneshot
 ExecStart=/usr/local/bin/webmap-download \
     --cachedir=/var/cache/webmap \
-    --lockdir=%t/webmap-download \
+    --lockdir=%t/lock/webmap/download \
     --no-exit-code \
     --quiet \
     -- %I
 
-RuntimeDirectory=webmap-download
-RuntimeDirectoryPreserve=yes
-
 # Hardening
 NoNewPrivileges=yes
 ProtectHome=yes
@@ -34,6 +31,7 @@ ProtectKernelModules=yes
 ProtectKernelTunables=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 ReadWritePaths=/var/cache/webmap
+ReadWritePaths=%t/lock/webmap/download
 
 [Install]
 WantedBy=webmap-update@%i.target
-- 
cgit v1.2.3