diff options
| author | Martin Puppe <dev@mpuppe.de> | 2023-01-31 02:14:50 +0100 |
|---|---|---|
| committer | Martin Puppe <dev@mpuppe.de> | 2023-02-20 23:04:24 +0100 |
| commit | 78ac8123569ae95e5967137d7fb97049b03ad69c (patch) | |
| tree | 00bd52d0ff9e430770379ab1abab680b80ec2613 /pkgs/development/python-modules/rangehttpserver | |
| parent | 9b2e2e8006fc478050f7e6fcd5797d38bd8e07f1 (diff) | |
nixos/yggdrasil: fix configFile option
As far as I can tell the configFile option cannot have worked as
intended. The Yggdrasil systemd service uses a dynamic user. As it was,
there was no way to set the correct permissions on a config file
beforehand which would allow the dynamic user to read the config file
without making it readable for all users. But since the config file can
contain a private key it *must not* be world-readable.
The file must only be readable by root. The file has to be copied and
the permissions have to be fixed during service startup. This can either
be done in a ExecStartPre directive with the '+' prefix (which executes
that command with elevated privileges), or it can be done more
declarative with the LoadCredential directive. I have chosen the latter
approach because it delegates more work to systemd itself. It should be
noted that this has the minor tradeoff that the config file must not be
larger than 1 MB. This is a limit which systemd imposes on credential
files. But I think 1 MB ought to be enough for anybody ;).
Diffstat (limited to 'pkgs/development/python-modules/rangehttpserver')
0 files changed, 0 insertions, 0 deletions