systemd: enable 'ProtectHome=read-only'...
...thanks to gpg no longer needing to write lock files or cache to user's home folder. that has been achieved by supplying the following flags to the key export command: '--lock-never --no-symkey-cache --disable-dirmngr'
This commit is contained in:
parent
e7e9ec51f1
commit
e00b7256af
|
@ -13,7 +13,7 @@ export RENOVATE_HOST_RULES="[{\"hostType\": \"github\", \"domainName\": \"github
|
||||||
export RENOVATE_DOCKER_USER="${RENOVATE_DOCKER_USER_AND_GROUP}"
|
export RENOVATE_DOCKER_USER="${RENOVATE_DOCKER_USER_AND_GROUP}"
|
||||||
|
|
||||||
# used as the git signing key only to sign commits/tags
|
# used as the git signing key only to sign commits/tags
|
||||||
GPG_KEY="$(gpg --armor --export-secret-keys "${SIGNING_KEY}")"
|
GPG_KEY="$(gpg --armor --lock-never --no-symkey-cache --disable-dirmngr --export-secret-keys "${SIGNING_KEY}")"
|
||||||
|
|
||||||
export RENOVATE_GIT_PRIVATE_KEY="${GPG_KEY}"
|
export RENOVATE_GIT_PRIVATE_KEY="${GPG_KEY}"
|
||||||
# enable custom (i.e. self-hosted) rust crate registries
|
# enable custom (i.e. self-hosted) rust crate registries
|
||||||
|
|
|
@ -38,8 +38,7 @@ ReadWritePaths=/home/renovate-bot/.npm
|
||||||
|
|
||||||
NoNewPrivileges=True
|
NoNewPrivileges=True
|
||||||
ProtectSystem=strict
|
ProtectSystem=strict
|
||||||
; home dir rw access is needed for gpg
|
ProtectHome=read-only
|
||||||
; ProtectHome=read-only
|
|
||||||
ProtectProc=invisible
|
ProtectProc=invisible
|
||||||
ProcSubset=pid
|
ProcSubset=pid
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue