From ad23b508e3199490709608bc26e9cddb49bb6805 Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Wed, 26 Feb 2020 20:37:47 +0100 Subject: [PATCH] {generate,setup}-secrets: remove process hardening ProtectSystem=full disables writing to /etc which is the default secrets location. Besides that, hardening is pointless for {generate,setup}-secrets which don't read external input and are fully under our control. --- modules/secrets/generate-secrets.nix | 2 +- modules/secrets/secrets.nix | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/secrets/generate-secrets.nix b/modules/secrets/generate-secrets.nix index c9a38aa..493c8ff 100644 --- a/modules/secrets/generate-secrets.nix +++ b/modules/secrets/generate-secrets.nix @@ -14,7 +14,7 @@ with lib; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; - } // config.nix-bitcoin-services.defaultHardening; + }; script = '' mkdir -p "${config.nix-bitcoin.secretsDir}" cd "${config.nix-bitcoin.secretsDir}" diff --git a/modules/secrets/secrets.nix b/modules/secrets/secrets.nix index 163346d..0149289 100644 --- a/modules/secrets/secrets.nix +++ b/modules/secrets/secrets.nix @@ -56,7 +56,7 @@ in serviceConfig = { Type = "oneshot"; RemainAfterExit = true; - } // config.nix-bitcoin-services.defaultHardening; + }; script = '' setupSecret() { file="$1"