Overview

File peertube-service.patch of Package peertube

--- a/support/systemd/peertube.service	2023-01-01 18:23:37.102085035 +0100
+++ b/support/systemd/peertube.service	2023-01-01 21:03:47.719308101 +0100
@@ -5,21 +5,20 @@
 [Service]
 Type=simple
 Environment=NODE_ENV=production
-Environment=NODE_CONFIG_DIR=/var/www/peertube/config
+Environment=NODE_CONFIG_DIR=/srv/www/peertube/config
 User=peertube
 Group=peertube
 ExecStart=/usr/bin/node dist/server
-WorkingDirectory=/var/www/peertube/peertube-latest
-SyslogIdentifier=peertube
+WorkingDirectory=/srv/www/peertube/peertube-latest
 Restart=always
 
 ; Some security directives.
 ; Mount /usr, /boot, and /etc as read-only for processes invoked by this service.
-ProtectSystem=full
+ProtectSystem=strict
 ; Sets up a new /dev mount for the process and only adds API pseudo devices
 ; like /dev/null, /dev/zero or /dev/random but not physical devices. Disabled
 ; by default because it may not work on devices like the Raspberry Pi.
-PrivateDevices=false
+PrivateDevices=true
 ; Ensures that the service process and all its children can never gain new
 ; privileges through execve().
 NoNewPrivileges=true
@@ -29,5 +28,8 @@
 ; Drops the sys admin capability from the daemon.
 CapabilityBoundingSet=~CAP_SYS_ADMIN
 
+ReadWritePaths=/srv/www/peertube/config
+ReadWritePaths=/srv/www/peertube/storage
+
 [Install]
 WantedBy=multi-user.target
openSUSE Build Service is sponsored by
Places