From b8267c261ca647ea5465ac8c0be443c14e9f01b6 Mon Sep 17 00:00:00 2001 From: Vincent Ambo Date: Fri, 10 Dec 2021 17:10:50 +0300 Subject: fix(ops/irccat): Avoid permissions issue with LoadCredentials= The DynamicUser + Group configuration does not work as planned, thus the systemd LoadCredentials feature is used instead which makes the file (which itself is only readable by root) available in a memory-backed location only readable by the service. The secret is only available to `ExecStart` commands, so units using this feature can not be used with pre/post units and the like if those commands need secrets. To accommodate this, the merge of configuration files has been moved into the service launch script, which is now the ExecStart= process. For details take a look at https://www.freedesktop.org/software/systemd/man/systemd.exec.html#LoadCredential=ID:PATH Change-Id: I693fe5677cc0d63c7aa485c2c7472457c5262166 --- ops/machines/whitby/default.nix | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) (limited to 'ops/machines/whitby/default.nix') diff --git a/ops/machines/whitby/default.nix b/ops/machines/whitby/default.nix index 381980fd37..41b53fa984 100644 --- a/ops/machines/whitby/default.nix +++ b/ops/machines/whitby/default.nix @@ -209,6 +209,7 @@ in { in { clbot.file = secretFile "clbot"; gerrit-queue.file = secretFile "gerrit-queue"; + irccat.file = secretFile "irccat"; owothia.file = secretFile "owothia"; buildkite-agent-token = { @@ -221,12 +222,6 @@ in { file = secretFile "clbot-ssh"; owner = "clbot"; }; - - irccat = { - file = secretFile "irccat"; - mode = "0440"; - group = "irccat"; - }; }; # Automatically collect garbage from the Nix store. -- cgit 1.4.1