Configure kredits-github #37
No reviewers
Labels
No Label
service
accounts
service
discourse
service
drone-ci
service
email
service
garage
service
gitea
service
ipfs
service
mastodon
service
postgres
service
remotestorage
service
wiki
service
xmpp
bug
design
dev environment
docs
duplicate
enhancement
feature
good first issue
idea
invalid
kredits-1
kredits-2
kredits-3
on hold
ops
question
release
major
release
minor
release
patch
security
ui/ux
wontfix
No Milestone
No project
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: kosmos/chef#37
Loading…
Reference in New Issue
No description provided.
Delete Branch "feature/35-kredits_github"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
This is running on
barnard.kosmos.org
, but for some reason that I can't figure out nginx just refuses connections to the site. All configs and services look good to me, and nothing is throwing errors.closes #35
Configure kosmos-githubto Configure kredits-githubSorry, the commit has the wrong app name.
I fixed the issue. All working now.
As the environment contains secret I'm switching the systemd unit to use EnvironmentFile instead.
LGTM apart from that and the references to sockethub that I fixed.
Configure kredits-githubto WIP: Configure kredits-githubI cannot see how that makes it more secure from the document you linked. Care to explain?
(I assume this comes from me pasting a sentence from and link to the official systemd docs, where it says you shouldn't put secrets in systemd environment vars?)
Also, wouldn't we need to do that for all our cookbooks/systemd units then? (Meaning there's an issue missing about it.)
I checked, it turns out I misunderstood EnvironmentFile. Using it I thought it wouldn't show the environment variables in
/proc/$ID/environ
, but that can only be read by root, not regular users. So we can use Environment directives, as long as the systemd unit file is not world readable (so the unit file itself to be something like 640)I think every systemd unit file that contains secrets shouldn't be world readable, we can create an issue about it
I have also found this regarding
EnvironmentFile
, Poettering said it was a mistake: https://unix.stackexchange.com/a/419061I reverted my
EnvironmentFile
change and fixed the permission in2cf6112
OK, but that still doesn't explain why this one cookbook would be the only one where we have to solve the problem. I merely did what we do in literally all of our site cookbooks.
Also, that still leaves the question about env vars in systemd units being unsecure for other reasons than reading the file itself, as outlined by the systemd docs I linked.
Can you link that page again? I can't find it
Edit: I created #38 for the Systemd environment variables
WIP: Configure kredits-githubto Configure kredits-github