systemd: enable 'ProtectHome=read-only'...

...thanks to gpg no longer needing to write lock files or cache to
user's home folder. that has been achieved by supplying the following
flags to the key export command:
    '--lock-never --no-symkey-cache --disable-dirmngr'
This commit is contained in:
surtur 2022-06-06 16:38:58 +02:00
parent e7e9ec51f1
commit e00b7256af
Signed by: wanderer
GPG Key ID: 19CE1EC1D9E0486D
2 changed files with 2 additions and 3 deletions

View File

@ -13,7 +13,7 @@ export RENOVATE_HOST_RULES="[{\"hostType\": \"github\", \"domainName\": \"github
export RENOVATE_DOCKER_USER="${RENOVATE_DOCKER_USER_AND_GROUP}"
# used as the git signing key only to sign commits/tags
GPG_KEY="$(gpg --armor --export-secret-keys "${SIGNING_KEY}")"
GPG_KEY="$(gpg --armor --lock-never --no-symkey-cache --disable-dirmngr --export-secret-keys "${SIGNING_KEY}")"
export RENOVATE_GIT_PRIVATE_KEY="${GPG_KEY}"
# enable custom (i.e. self-hosted) rust crate registries

View File

@ -38,8 +38,7 @@ ReadWritePaths=/home/renovate-bot/.npm
NoNewPrivileges=True
ProtectSystem=strict
; home dir rw access is needed for gpg
; ProtectHome=read-only
ProtectHome=read-only
ProtectProc=invisible
ProcSubset=pid