Context

I’m trying out if it’s possible/worth it/good to use DynamicUser = true for the nixos/crowdsec module.

The problem: cscli not useable from host

If you add DynamicUser = true to the systemd-service of crowdsec its state directory becomes a “private directory”:

> ls -l /var/lib | grep crowdsec
---
lrwxrwxrwx  - root           30 Dez 17:42 crowdsec -> private/crowdsec

Which gives an interesting output using file:

> file /var/lib/crowdsec
---
/var/lib/crowdsec: broken symbolic link to private/crowdsec

Now, if you try to use cscli you’re getting this:

> cscli hub update # just an example usage
---
Error: while setting up trace directory: mkdir /var/lib/crowdsec: file exists

I couldn’t find any mkdir /var/lib/crowdsec call in the crowdsec package so I assume that this attempt to create the directory comes from the binary itself.

Questions

1. Should I still try out to find a way to use DynamicUser = true? (due to this RFC)
2. Do you have any suggestions on how to fix this?

Workarounds

You could run systemctl-run -pDynamicUser=true -pUser=crowdsec -pGroup=crowdsec -pStateDirectory=crowdsec --pty bash to get a shell where you work within the crowdsec-systemd-service context. There you’re able to use the cscli as usual.

You could say that a new wiki article can be created for crowdsec and that this should be mentioned there but… I don’t know if this is that convenient…

Can you make a wrapper for cscli that does the systemd-run call? See nixos/modules/services/networking/atticd.nix for an example of this.

Yooo, that’s smart! Thank you for the hint! I’ll give it a try

@rhendric quick question to your suggestion: If I see that correctly, basically everyone is going to be able to use atticd-atticadm, am I right? Is there a way to constrain it to some users or is that expected?

systemd-run should ask for a password if it’s doing anything that requires privileges that the calling user doesn’t have, and if your wrapper is just calling systemd-run, so will your wrapper.