From 9fbd84c3b502d8a8f26ac2eebe5210da63fee873 Mon Sep 17 00:00:00 2001
From: CroneKorkN <i@ckn.li>
Date: Tue, 12 May 2026 22:57:21 +0200
Subject: [PATCH] left4me: tighten host.env to 0640 root:left4me

Both env files now follow the same pattern: root owns the config so the
service user can't overwrite its own config, group=left4me so the
sudo -u left4me alembic + seed-overlays actions can source the file
(they failed with 'permission denied' when group=root and mode=0640).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 bundles/left4me/items.py | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/bundles/left4me/items.py b/bundles/left4me/items.py
index 6f2f39e..9c9e457 100644
--- a/bundles/left4me/items.py
+++ b/bundles/left4me/items.py
@@ -111,9 +111,15 @@ files = {
     '/etc/left4me/host.env': {
         'source': 'etc/left4me/host.env.mako',
         'content_type': 'mako',
-        'mode': '0644',
+        'mode': '0640',
         'owner': 'root',
-        'group': 'root',
+        # group=left4me so the alembic + seed-overlays actions (which run as
+        # `sudo -u left4me sh -c '. /etc/left4me/host.env'`) can source it.
+        # Same pattern as web.env below.
+        'group': 'left4me',
+        'needs': [
+            'group:left4me',
+        ],
     },
     '/etc/left4me/web.env': {
         'source': 'etc/left4me/web.env.mako',