New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add dropPrivileges options for vault module #65089
Conversation
340984e
to
916916f
Compare
cc @rushmorem @LnL7 |
Group = "vault"; | ||
User = if cfg.dropPrivileges then "vault" else null; | ||
Group = if cfg.dropPrivileges then "vault" else null; | ||
PermissionsStartOnly = true; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is deprecated do not use please. If you run as root
this shouldn't be required, and if you don't run as root
this implies problems with existing service. I'm not familiar with this software so could you please explain some of the issues when running this software as an unprivileged user?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hi @aanderse Thanks for the review. your right about PermissionsStartOnly
it got here cause i did branch out of a little older revision. My main issue when not using root
is when i m deploying using nixops
the unit would fail to start since it requires some keys that won't be able to be accessed using the vault
user since they will be under /run/keys
. I don't wanna complicate stuff with a unit that copy the keys somewhere. Also, being able to choose whether to drop privileges or not is a good thing to have so people can decide on their own.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@PsyanticY Thanks for explaining. Fortunately nixops
has you covered with the user
, group
, and permissions
options available to every key you declare.
Were there other reasons you wanted this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@aanderse Tried setting user
group
and permission
with nixops
but to no avail since /run/key
folder is owned by root
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@PsyanticY Generally speaking it is better to address such problems head on instead of coming up with workarounds. I would suggest filling an issue asking for assistance with deployment keys on nixops
, or starting a thread on discourse. I was using deployment keys on nixops
a fair bit last year so I'm pretty sure it works. Maybe just a config issue?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@aanderse Thanks for explaining. I ll be closing this.
916916f
to
087ceb2
Compare
@PsyanticY Please ping me on the ticket or thread you make about this. I want to make sure this gets resolved for you! |
@aanderse Thanks for the followup. It is not that i don't have other way to fix it ( i can override the unit definition to ran as root, add the |
Motivation for this change
This would enable running vaul systemd unit as root if the option dropPrivileges is set to false.
running as vault would cause a lot of issue when deploying certificate using
nixops
.Things done
sandbox
innix.conf
on non-NixOS)nix-shell -p nix-review --run "nix-review wip"
./result/bin/
)nix path-info -S
before and after)