mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-12-13 01:03:25 +00:00
78ac812356
As far as I can tell the configFile option cannot have worked as intended. The Yggdrasil systemd service uses a dynamic user. As it was, there was no way to set the correct permissions on a config file beforehand which would allow the dynamic user to read the config file without making it readable for all users. But since the config file can contain a private key it *must not* be world-readable. The file must only be readable by root. The file has to be copied and the permissions have to be fixed during service startup. This can either be done in a ExecStartPre directive with the '+' prefix (which executes that command with elevated privileges), or it can be done more declarative with the LoadCredential directive. I have chosen the latter approach because it delegates more work to systemd itself. It should be noted that this has the minor tradeoff that the config file must not be larger than 1 MB. This is a limit which systemd imposes on credential files. But I think 1 MB ought to be enough for anybody ;). |
||
|---|---|---|
| .. | ||
| doc/manual | ||
| lib | ||
| maintainers | ||
| modules | ||
| tests | ||
| COPYING | ||
| default.nix | ||
| README | ||
| release-combined.nix | ||
| release-small.nix | ||
| release.nix | ||
*** NixOS *** NixOS is a Linux distribution based on the purely functional package management system Nix. More information can be found at https://nixos.org/nixos and in the manual in doc/manual.