From e00b7256afe656892878fecdfead34fd26082817 Mon Sep 17 00:00:00 2001 From: surtur Date: Mon, 6 Jun 2022 16:38:58 +0200 Subject: [PATCH] systemd: enable 'ProtectHome=read-only'... ...thanks to gpg no longer needing to write lock files or cache to user's home folder. that has been achieved by supplying the following flags to the key export command: '--lock-never --no-symkey-cache --disable-dirmngr' --- bin/renovatepls | 2 +- etc/systemd/system/renovate.service | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/bin/renovatepls b/bin/renovatepls index bf15c57..a792947 100755 --- a/bin/renovatepls +++ b/bin/renovatepls @@ -13,7 +13,7 @@ export RENOVATE_HOST_RULES="[{\"hostType\": \"github\", \"domainName\": \"github export RENOVATE_DOCKER_USER="${RENOVATE_DOCKER_USER_AND_GROUP}" # used as the git signing key only to sign commits/tags -GPG_KEY="$(gpg --armor --export-secret-keys "${SIGNING_KEY}")" +GPG_KEY="$(gpg --armor --lock-never --no-symkey-cache --disable-dirmngr --export-secret-keys "${SIGNING_KEY}")" export RENOVATE_GIT_PRIVATE_KEY="${GPG_KEY}" # enable custom (i.e. self-hosted) rust crate registries diff --git a/etc/systemd/system/renovate.service b/etc/systemd/system/renovate.service index b17cc60..235f4cd 100644 --- a/etc/systemd/system/renovate.service +++ b/etc/systemd/system/renovate.service @@ -38,8 +38,7 @@ ReadWritePaths=/home/renovate-bot/.npm NoNewPrivileges=True ProtectSystem=strict -; home dir rw access is needed for gpg -; ProtectHome=read-only +ProtectHome=read-only ProtectProc=invisible ProcSubset=pid