systemd: enable 'ProtectHome=read-only'...
...thanks to gpg no longer needing to write lock files or cache to user's home folder. that has been achieved by supplying the following flags to the key export command: '--lock-never --no-symkey-cache --disable-dirmngr'
This commit is contained in:
parent
e7e9ec51f1
commit
e00b7256af
|
@ -13,7 +13,7 @@ export RENOVATE_HOST_RULES="[{\"hostType\": \"github\", \"domainName\": \"github
|
|||
export RENOVATE_DOCKER_USER="${RENOVATE_DOCKER_USER_AND_GROUP}"
|
||||
|
||||
# used as the git signing key only to sign commits/tags
|
||||
GPG_KEY="$(gpg --armor --export-secret-keys "${SIGNING_KEY}")"
|
||||
GPG_KEY="$(gpg --armor --lock-never --no-symkey-cache --disable-dirmngr --export-secret-keys "${SIGNING_KEY}")"
|
||||
|
||||
export RENOVATE_GIT_PRIVATE_KEY="${GPG_KEY}"
|
||||
# enable custom (i.e. self-hosted) rust crate registries
|
||||
|
|
|
@ -38,8 +38,7 @@ ReadWritePaths=/home/renovate-bot/.npm
|
|||
|
||||
NoNewPrivileges=True
|
||||
ProtectSystem=strict
|
||||
; home dir rw access is needed for gpg
|
||||
; ProtectHome=read-only
|
||||
ProtectHome=read-only
|
||||
ProtectProc=invisible
|
||||
ProcSubset=pid
|
||||
|
||||
|
|
Loading…
Reference in New Issue