Dear lazy-web,
As part of enforcing minimum privilege I’m trying to find an elegant way to share files with systemd services, especially DynamicUser=
-enabled ones. The core conflict stems from the fact that UID/GID are not known until the service is run. There are at least two use cases:
- Secrets. Here, something like
LoadCredential=
could be used in the cases where the data can be referenced via env vars or cmdline flags. Other cases, such as a config file that specifies a literal path, need hackery where the config file is generated at runtime. - Generic, pre-existing files. Easiest example are device files. They need to be made accessible in-place.
I’m looking for some “scalable” approach that can handle both. Ideally with support for POSIX ACLs, to preempt combinatorial explosions of groups to be created.
My current solution looks like this:
users.groups.alertmanager-secret-access = { };
sops.secrets.pw = {
group = config.users.groups.alertmanager-secret-access.name;
mode = "0440";
};
systemd.services.alertmanager.serviceConfig.SupplementaryGroups = [ config.users.groups.alertmanager-secret-access.name ];
services.prometheus.alertmanager.configuration.global.smtp_auth_password_file = config.sops.secrets.pw.path;
(Yes, I know alertmanager actually implements a workaround with envsubst, please ignore this for the sake of argument.)
It works but is error-prone, hard use as a single construct, and doesn’t do ACLs (both due to sops-nix but also due to needing to mess with ExecStartPre=
, presumably).
So, ultimately my question is, how have you solved this problem? Is there some nixpkgs functionality I missed? Some flake? A design pattern?