[krow] has joined #nixos-systemd
kroh has quit [Ping timeout: 265 seconds]
emily has quit [*.net *.split]
Ox4A6F has quit [*.net *.split]
colemickens has quit [*.net *.split]
feepo has quit [*.net *.split]
NinjaTrappeur has quit [*.net *.split]
NinjaTrappeur has joined #nixos-systemd
feepo has joined #nixos-systemd
Ox4A6F has joined #nixos-systemd
emily has joined #nixos-systemd
colemickens has joined #nixos-systemd
<aanderse> ohh nixos unstable will get the new credentials stuff from systemd already? 🎉
<aanderse> that will make my life better :D
<flokli> the current release doesn't have it yet
<makefu> aanderse: nixos is an early adopter for new cool systemd features :) poettering joined the discussion already a couple of times on github
<aanderse> makefu: yup, thanks to flokli
<flokli> on that note, gchristensen:
<flokli> <para>The credential files/IPC sockets must be accessible to the service manager, but don't have to
<flokli> be directly accessible to the unit's processes: the credential data is read and copied into separate,
<flokli> read-only copies for the unit that are accessible to appropriately privileged processes. This is
<flokli> particularly useful in combination with <varname>DynamicUser=</varname> as this way privileged data
<flokli> can be made available to processes running under a dynamic UID (i.e. not a previously known one)
<flokli> without having to open up access to all users.</para>
<flokli> meaning, we can still manage secrets in /run/secrets, but don't need to give DynamicUser=true processes access to the keys group
<flokli> (following-up on the discussion in #nixos earlier today)
<aanderse> this functionality solves problems for non dynamic user applications as well
<aanderse> like a debian web server which has a root only readable wildcard ssl certificate that httpd can read when started as root
<aanderse> or our acme module
Blackraider has joined #nixos-systemd
Blackraider has quit [Remote host closed the connection]
<flokli> yes :-)