[krow] has joined #nixos-systemd
kroh has quit [Ping timeout: 265 seconds]
emily has quit [*.net *.split]
Ox4A6F has quit [*.net *.split]
colemickens has quit [*.net *.split]
feepo has quit [*.net *.split]
NinjaTrappeur has quit [*.net *.split]
NinjaTrappeur has joined #nixos-systemd
feepo has joined #nixos-systemd
Ox4A6F has joined #nixos-systemd
emily has joined #nixos-systemd
colemickens has joined #nixos-systemd
<
aanderse>
ohh nixos unstable will get the new credentials stuff from systemd already? 🎉
<
aanderse>
that will make my life better :D
<
flokli>
the current release doesn't have it yet
<
makefu>
aanderse: nixos is an early adopter for new cool systemd features :) poettering joined the discussion already a couple of times on github
<
aanderse>
makefu: yup, thanks to flokli
<
flokli>
on that note, gchristensen:
<
flokli>
<para>The credential files/IPC sockets must be accessible to the service manager, but don't have to
<
flokli>
be directly accessible to the unit's processes: the credential data is read and copied into separate,
<
flokli>
read-only copies for the unit that are accessible to appropriately privileged processes. This is
<
flokli>
particularly useful in combination with <varname>DynamicUser=</varname> as this way privileged data
<
flokli>
can be made available to processes running under a dynamic UID (i.e. not a previously known one)
<
flokli>
without having to open up access to all users.</para>
<
flokli>
meaning, we can still manage secrets in /run/secrets, but don't need to give DynamicUser=true processes access to the keys group
<
flokli>
(following-up on the discussion in #nixos earlier today)
<
aanderse>
this functionality solves problems for non dynamic user applications as well
<
aanderse>
like a debian web server which has a root only readable wildcard ssl certificate that httpd can read when started as root
<
aanderse>
or our acme module
Blackraider has joined #nixos-systemd
Blackraider has quit [Remote host closed the connection]