puppet: Remove PrivateDevices=true from mw-jobrunner
This breaks sending emails. If you read the documentation for
PrivateDevices carefully, you will see this snippet:
If turned on and if running in user mode, or in system mode, but
without the CAP_SYS_ADMIN capability (e.g. setting User=),
NoNewPrivileges=yes is implied.
We are running, in system mode, but setting User=, so we match this
condition. PHP's mail() function uses sendmail binary, which is a
suid binary, and NoNewPrivileges=yes prevents them from changing
While at it, reduce the restart timeout to avoid false positivies
from our jobqueue status checker script. The only purpose is to spare
some system resources would the script fail to start continously.