From 1880afaabfe950989364aeac309a753d459e560a Mon Sep 17 00:00:00 2001
From: Thomas <51749973+Thovi98@users.noreply.github.com>
Date: Fri, 10 Nov 2023 15:51:54 +0100
Subject: [PATCH] Update bookwyrm-server.service

---
 conf/bookwyrm-server.service | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/conf/bookwyrm-server.service b/conf/bookwyrm-server.service
index 6b70a70..b92c5d7 100644
--- a/conf/bookwyrm-server.service
+++ b/conf/bookwyrm-server.service
@@ -17,8 +17,8 @@ PrivateTmp=yes
 TemporaryFileSystem=/var /run /opt __INSTALL_DIR__
 #PrivateUsers=true
 PrivateDevices=true
-#BindReadOnlyPaths=__INSTALL_DIR__
-#BindPaths=__INSTALL_DIR__/images __INSTALL_DIR__/static /var/run/postgresql
+BindReadOnlyPaths=__INSTALL_DIR__
+BindPaths=__INSTALL_DIR__/images __INSTALL_DIR__/static /var/run/postgresql
 LockPersonality=yes
 MemoryDenyWriteExecute=true
 PrivateMounts=true
@@ -31,11 +31,11 @@ ProtectControlGroups=true
 RestrictRealtime=true
 RestrictNamespaces=net
 
-NoNewPrivileges=yes
-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
-DevicePolicy=closed
-ProtectProc=invisible
-SystemCallArchitectures=native
+#NoNewPrivileges=yes
+#RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+#DevicePolicy=closed
+#ProtectProc=invisible
+#SystemCallArchitectures=native
 #SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged
 
 # Denying access to capabilities that should not be relevant for webapps