systemd hardening #68
Conversation
Mic92
force-pushed
the
systemd
branch
7 times, most recently
from
9fceada to
5226d4b
Compare
| group = "harmonia"; | ||
| }; | ||
| groups.harmonia = { }; | ||
| }; |
There was a problem hiding this comment.
This broke some logic I inherited from @NinjaTrappeur that was passing a signing key into Harmonia from a sops location:
nix-signing-key = {
restartUnits = [ "harmonia.service" ];
owner = config.users.users.harmonia.name;
mode = "0440";
};
Looks like the two ways forward here are systemd's LoadCredential scheme (which will make a file available read-only to the unit's user/environment) or else switching from a file to an environment variable. Any thoughts on which of these would be preferable or if there's another option I'm missing?
There was a problem hiding this comment.
Ah, there's an existing discussion on this in Mic92/sops-nix#198.
There was a problem hiding this comment.
LoadCredential that is used, shouldn't require a user. Here an example:
There was a problem hiding this comment.
Thanks! Yes, that's helpful and I do now see how the pieces fit together. I think our original deployment predated the introduction of LoadCredential on your side.
No description provided.