| 10 Aug 2023 |
 Lily Foster | Unfortunately | 19:05:20 |
 countoren | well writeShellScript that reads the npmrc wont leak it to nix store | 19:05:43 |
| Lily Foster | So are you meaning a shell script that changes the daemon systemd overrides and reloads it? (Just to be clear) | 19:06:04 |
| countoren | if you want I could it give it to put in docs the moment i have it | 19:06:13 |
| countoren | yes | 19:06:21 |
| Lily Foster | Okay if it's just a script that configures someome's system I suppose that won't leak anywhere | 19:06:41 |
| Lily Foster | (Maybe make sure override file has tight perms though) | 19:06:58 |
| countoren | btw could not override a file there | 19:07:20 |
| Lily Foster | Or have it include an EnvironmentFile in the unit settings that you put elsewhere with tight perms is probably best | 19:07:29 |
| countoren | the entire folder is on the nix store | 19:07:29 |
| Lily Foster | In reply to @countoren:matrix.org
the entire folder is on the nix store Oh, rip | 19:07:37 |
| countoren | systemctl set-env... | 19:08:02 |
| Lily Foster | Yeah I'm sorry the Nix UX kinda sucks for this :( | 19:08:09 |
| countoren | the problem with that it exposes the var to any process | 19:08:18 |
| Lily Foster | In reply to @countoren:matrix.org
systemctl set-env... That does similar, but maybe it stores it somewhere else | 19:08:23 |
| Lily Foster | * Yeah I'm sorry the Nix UX kinda sucks for this
:( | 19:08:29 |
| Lily Foster | In reply to @countoren:matrix.org
the problem with that it exposes the var to any process oh | 19:08:40 |
| Lily Foster | This setting it in manager conf then | 19:08:48 |
| countoren | manager conf? | 19:09:04 |
| Lily Foster | systemd service manager config. So it gets inherited across all services and systemd itself | 19:09:24 |
| Lily Foster | But that's probably ... fine | 19:09:32 |
| countoren | is'nt it kinda defeat the purpose ? | 19:09:56 |
| countoren | well I guess it is better then being in nix store... | 19:10:17 |
| countoren | Actually should'nt the rust just read npmrc if exists? | 19:11:15 |
| Lily Foster | Not necessarily. Unpriveleged users can't read the environment of a privileged process (which all system services probably are. Or at least not running as the interactive user I mean) and it's really easy for stuff that gets into the store to accidentally make it other places (and store is world-readable by default) | 19:11:30 |
| Lily Foster | In reply to @countoren:matrix.org
Actually should'nt the rust just read npmrc if exists? It won't exist in the nix sandbox and I'd have to add npmrc parsing code for that 😅 | 19:11:56 |
| Lily Foster | * It won't exist in the nix sandbox and I'd have to add npmrc parsing code for that anyway 😅 | 19:12:13 |
| Lily Foster | * Not necessarily. Unprivileged users can't read the environment of a privileged process (which all system services probably are. Or at least not running as the interactive user I mean) and it's really easy for stuff that gets into the store to accidentally make it other places (and store is world-readable by default) | 19:12:24 |
| countoren | Well I guess user can just writeShellScript wrapping the nix build itself exporting the env var reading npmrc | 19:13:35 |
| Lily Foster | If you really want it in the derivation and don't mind it being in the store, you'll be able to set postPatch = "export NPM_TOKENS=..." with it how it is | 19:14:07 |
