mirror of
https://gitlab.archlinux.org/archlinux/infrastructure.git
synced 2026-03-07 09:31:37 +01:00
557818871d
We watch over the database paths with a 'systemd.path' unit and invalidate the CDN cached files once the DBs on the origin are changed. Fixes https://gitlab.archlinux.org/archlinux/infrastructure/-/issues/778 Signed-off-by: Christian Heusel <christian@heusel.eu>
39 lines
908 B
SYSTEMD
39 lines
908 B
SYSTEMD
[Unit]
|
|
Description=to invalidate the %i database on Fastly
|
|
|
|
[Service]
|
|
Type=oneshot
|
|
EnvironmentFile=-/etc/conf.d/fastly-invalidate
|
|
ExecStart=/usr/local/bin/fastly-invalidate.sh %i
|
|
|
|
CapabilityBoundingSet=
|
|
DynamicUser=yes
|
|
LockPersonality=yes
|
|
MemoryDenyWriteExecute=yes
|
|
NoNewPrivileges=true
|
|
PrivateDevices=yes
|
|
PrivateUsers=yes
|
|
ProtectClock=yes
|
|
ProtectControlGroups=yes
|
|
ProtectHome=yes
|
|
ProtectHostname=yes
|
|
ProtectKernelLogs=yes
|
|
ProtectKernelModules=yes
|
|
ProtectKernelTunables=yes
|
|
ProtectProc=noaccess
|
|
RestrictAddressFamilies=AF_INET AF_INET6
|
|
RestrictNamespaces=yes
|
|
RestrictRealtime=yes
|
|
SystemCallArchitectures=native
|
|
SystemCallFilter=~@clock
|
|
SystemCallFilter=~@cpu-emulation
|
|
SystemCallFilter=~@debug
|
|
SystemCallFilter=~@module
|
|
SystemCallFilter=~@mount
|
|
SystemCallFilter=~@obsolete
|
|
SystemCallFilter=~@privileged
|
|
SystemCallFilter=~@raw-io
|
|
SystemCallFilter=~@reboot
|
|
SystemCallFilter=~@resources
|
|
SystemCallFilter=~@swap
|