From fca52d6ff88f028af37123d314450bf23d022f8a Mon Sep 17 00:00:00 2001
From: Thomas <51749973+Thovi98@users.noreply.github.com>
Date: Tue, 7 Nov 2023 22:19:44 +0100
Subject: [PATCH] fix service config

---
 conf/bookwyrm-server.service | 2 +-
 conf/bookwyrm-worker.service | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/conf/bookwyrm-server.service b/conf/bookwyrm-server.service
index 8aa2716..4a0f6ac 100644
--- a/conf/bookwyrm-server.service
+++ b/conf/bookwyrm-server.service
@@ -37,7 +37,7 @@ RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
 DevicePolicy=closed
 ProtectProc=invisible
 SystemCallArchitectures=native
-SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged
+#SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged
 
 [Install]
 WantedBy=multi-user.target
diff --git a/conf/bookwyrm-worker.service b/conf/bookwyrm-worker.service
index 623a00d..135c633 100644
--- a/conf/bookwyrm-worker.service
+++ b/conf/bookwyrm-worker.service
@@ -13,7 +13,7 @@ ExecStart=__INSTALL_DIR__/venv/bin/celery -A celerywyrm worker -l info -Q high_p
 
 ProtectSystem=strict
 ProtectHome=tmpfs
-#InaccessiblePaths=-/media -/mnt -/srv
+InaccessiblePaths=-/media -/mnt -/srv
 PrivateTmp=yes
 TemporaryFileSystem=/var /run
 #PrivateUsers=true
@@ -37,7 +37,7 @@ RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
 DevicePolicy=closed
 ProtectProc=invisible
 SystemCallArchitectures=native
-SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged
+#SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged
 
 # Denying access to capabilities that should not be relevant for webapps
 # Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html