cronekorkn/bundlewrap
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

left4me: tighten host.env to 0640 root:left4me

Browse source 
Both env files now follow the same pattern: root owns the config so the
service user can't overwrite its own config, group=left4me so the
sudo -u left4me alembic + seed-overlays actions can source the file
(they failed with 'permission denied' when group=root and mode=0640).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
CroneKorkN 2026-05-12 22:57:21 +02:00
parent 1039e23671
commit 9fbd84c3b5
Signed by: cronekorkn
SSH key fingerprint: SHA256:v0410ZKfuO1QHdgKBsdQNF64xmTxOF8osF1LIqwTcVw
1 changed files with 8 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
bundles/left4me/items.py
View file

@ -111,9 +111,15 @@ files = {
'/etc/left4me/host.env': { '/etc/left4me/host.env': {
'source': 'etc/left4me/host.env.mako', 'source': 'etc/left4me/host.env.mako',
'content_type': 'mako', 'content_type': 'mako',
'mode': '0644', 'mode': '0640',
'owner': 'root', 'owner': 'root',
'group': 'root', # group=left4me so the alembic + seed-overlays actions (which run as
# `sudo -u left4me sh -c '. /etc/left4me/host.env'`) can source it.
# Same pattern as web.env below.
'group': 'left4me',
'needs': [
'group:left4me',
],
}, },
'/etc/left4me/web.env': { '/etc/left4me/web.env': {
'source': 'etc/left4me/web.env.mako', 'source': 'etc/left4me/web.env.mako',