| 23 Apr 2023 |
 David Arnold (blaggacao) | Hey! I know there have been ideas to generalize the activation package so that colmena can be a wrapper to any activation sequence (e.g. Home Manager, NixOS, Liminix).
I now have another candidate, for which I'd be glad to make colmena my go-to tool: Mikrotik Routers managed with Nix
| 17:15:47 |
| David Arnold (blaggacao) | Can a knowledgeable member point me to the current state of discussion / design thinking on this topic/generic feature? | 17:16:26 |
| 26 Apr 2023 |
|  Yuddite G changed their display name from Yuddite Pilot to Yuddite Groyper. | 04:49:25 |
| Yuddite G changed their display name from Yuddite Groyper to Yuddite G. | 21:02:57 |
| 27 Apr 2023 |
|  Nicolas joined the room. | 15:21:46 |
| 28 Apr 2023 |
|  @sumner:nevarro.space joined the room. | 17:20:19 |
| @sumner:nevarro.space | I'm having trouble with running a systemd service that reads from a secret that I uploaded via colmena. I uploaded the secret and set the user and group to msclinkbot and I am using the same user and group for the systemd service. But I get permission denied whenever I try to access that file (even if just via cat /run/keys/mscbot_password. Does anyone have suggestions for what could be going wrong? | 17:22:53 |
 hexa | needs more details | 17:44:39 |
| hexa | stat on the secret | 17:44:44 |
| hexa | and ideally the systemd unit | 17:44:47 |
| hexa | and you could try if the user used in the unit can stat the secret | 17:45:10 |
| hexa | and if it cannot, try to ls the directory above | 17:45:22 |
| @sumner:nevarro.space | deployment.keys = {
mscbot_password = {
keyCommand = [ <something> ];
user = "msclinkbot";
group = "msclinkbot";
};
My config is:
systemd.services.msclinkbot = {
description = "MSC Link Bot";
after = [
"matrix-synapse.target"
"mscbot_password-key.service"
];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = ''
${pkgs.coreutils}/bin/cat /run/keys/mscbot_password
'';
Restart = "on-failure";
User = "msclinkbot";
Group = "msclinkbot";
};
};
users = {
users.msclinkbot = {
group = "msclinkbot";
isSystemUser = true;
home = cfg.dataDir;
createHome = true;
};
groups.msclinkbot = { };
};
I can't get into the msclinkbot user because it says that it's currently unavailable
| 18:03:11 |
| hexa | just run sudo -u msclinkbot <command> | 18:13:16 |
| hexa | Redacted or Malformed Event | 18:14:18 |
| @sumner:nevarro.space | Oh, I was trying to use su to shell in.
root@matrix:~/ > sudo -u msclinkbot cat /var/lib/msclinkbot
cat: /var/lib/msclinkbot: Is a directory
| 18:14:38 |
| hexa | cat expects a file ÖD | 18:14:52 |
| hexa | * cat expects a file 😄 | 18:14:54 |
| hexa | * cat expects a file 🐱 | 18:15:05 |
| @sumner:nevarro.space | ack, I copied the wrong output lol | 18:15:13 |
| @sumner:nevarro.space | * Oh, I was trying to use su to shell in.
root@matrix:~/ > sudo -u msclinkbot cat /run/keys/mscbot_password
cat: /run/keys/mscbot_password: Permission denied
| 18:15:35 |
| @sumner:nevarro.space | running the same command as root works just fine | 18:15:55 |
| hexa | so try sudo -u msclinkbot ls /run/keys | 18:16:25 |
| @sumner:nevarro.space | that got permission denied as well... interesting | 18:16:49 |
| hexa | will probably fail, so your user lacks the executable permission on that folder | 18:16:52 |
| hexa | the unit likely needs SupplementaryGroups = [ "keys" ]; | 18:17:17 |
| hexa | or something similar | 18:17:20 |
| hexa | In reply to @sumner:nevarro.space
running the same command as root works just fine root has CAP_DAC_READ_OVERRIDE fwiw | 18:17:57 |
| @sumner:nevarro.space | In reply to @hexa:lossy.network
the unit likely needs SupplementaryGroups = [ "keys" ]; this seems to have worked. I should probably add this to to the documentation... | 18:19:03 |
| @sumner:nevarro.space | Thanks for your help! | 18:19:09 |
