From aa770f0d2a71851249eecc808dd769271ada320f Mon Sep 17 00:00:00 2001
From: Thomas <51749973+Thovi98@users.noreply.github.com>
Date: Fri, 10 Nov 2023 17:08:54 +0100
Subject: [PATCH] Update bookwyrm-server.service

---
 conf/bookwyrm-server.service | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/conf/bookwyrm-server.service b/conf/bookwyrm-server.service
index b92c5d7..17e73b6 100644
--- a/conf/bookwyrm-server.service
+++ b/conf/bookwyrm-server.service
@@ -14,7 +14,7 @@ ProtectSystem=strict
 ProtectHome=tmpfs
 InaccessiblePaths=-/media -/mnt -/srv
 PrivateTmp=yes
-TemporaryFileSystem=/var /run /opt __INSTALL_DIR__
+TemporaryFileSystem=/var /run
 #PrivateUsers=true
 PrivateDevices=true
 BindReadOnlyPaths=__INSTALL_DIR__
@@ -31,11 +31,11 @@ ProtectControlGroups=true
 RestrictRealtime=true
 RestrictNamespaces=net
 
-#NoNewPrivileges=yes
-#RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
-#DevicePolicy=closed
-#ProtectProc=invisible
-#SystemCallArchitectures=native
+NoNewPrivileges=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+DevicePolicy=closed
+ProtectProc=invisible
+SystemCallArchitectures=native
 #SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged
 
 # Denying access to capabilities that should not be relevant for webapps