No description

Find a file

CroneKorkN 656be1cf69 fix(left4me): move ProcSubset=pid from COMMON to SERVER-only Discovered post-deploy: ProcSubset=pid hides /proc/sys/kernel/random/boot_id which journalctl reads at startup. The web app invokes `sudo -n left4me-journalctl` to stream live server logs into the UI; journalctl bails with "Failed to get boot ID" before producing any output. Web log streaming was silently broken. Server unit keeps ProcSubset=pid (srcds doesn't invoke journalctl); web unit drops it. ProtectProc=invisible remains in COMMON — that's the load-bearing D4 defense (foreign-uid /proc hidden). Reproducer that confirms the diagnosis: systemd-run --pipe --uid=left4me --gid=left4me \ -p ProcSubset=pid -p ProtectProc=invisible \ -p ProtectSystem=strict -p PrivateTmp=true \ [...rest of web hardening...] \ -- sh -c 'sudo -n left4me-journalctl 2 --lines 3 --follow >/var/lib/left4me/tmp/out 2>&1' # cat /var/lib/left4me/tmp/out → "Failed to get boot ID: No such file or directory" # rc → 1 With ProcSubset=all: timeout 124 (helper running), 3 lines streamed. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>		2026-05-15 16:14:33 +02:00
bin	docs: scaffold agent-friendly entry points (Phase 1)	2026-05-10 15:44:45 +02:00
bundles	fix(left4me): move ProcSubset=pid from COMMON to SERVER-only	2026-05-15 16:14:33 +02:00
data	nginx: SSE-friendly proxy_pass + unconditional $connection_upgrade map	2026-05-10 22:12:03 +02:00
doc	play around with systemd hardening	2022-03-27 13:29:58 +02:00
docs	docs/specs: round-2 agents-md refactor design (gaps 7-12)	2026-05-10 20:39:40 +02:00
groups	groups: add applications/left4me	2026-05-10 18:08:36 +02:00
hooks	docs: scaffold agent-friendly entry points (Phase 1)	2026-05-10 15:44:45 +02:00
items	docs: scaffold agent-friendly entry points (Phase 1)	2026-05-10 15:44:45 +02:00
libs	docs: scaffold agent-friendly entry points (Phase 1)	2026-05-10 15:44:45 +02:00
nodes	left4me: prefix steam_web_api_key vault value with !decrypt:	2026-05-12 22:57:21 +02:00
.editorconfig	editorconfig	2022-08-09 16:49:48 +02:00
.envrc	PATH_add bin	2023-08-09 07:16:06 +02:00
.gitignore	gitignore: add bundlewrap git_deploy_repos map (operator-specific paths)	2026-05-10 18:43:59 +02:00
AGENTS.md	AGENTS.md: drop the 6th ccc rule	2026-05-11 00:26:12 +02:00
CLAUDE.md	docs: scaffold agent-friendly entry points (Phase 1)	2026-05-10 15:44:45 +02:00
groups.py	print message on parsing group error	2025-06-22 09:36:56 +02:00
hass_get_temp.py	bootshorn stuff	2025-08-24 15:23:17 +02:00
nodes.py	demagify remove faults	2023-02-23 18:27:27 +01:00
README.md	README: drop stale 'install bw fork' instruction	2026-05-10 15:19:44 +02:00
requirements.txt	switch bundlewrap install to editable from CroneKorkN/bundlewrap@main	2026-05-10 15:14:31 +02:00

README.md

TODO

dont spamfilter forwarded mails
gollum wiki
blog?
fix dkim not working sometimes
LDAP
oauth2/OpenID
icinga

Raspberry pi as soundcard

gadget mode
OTG g_audio
https://audiosciencereview.com/forum/index.php?threads/raspberry-pi-as-usb-to-i2s-adapter.8567/post-215824

monitor timers

Timer=backup

Triggers=$(systemctl show ${Timer}.timer --property=Triggers --value)
echo $Triggers
if systemctl is-failed "$Triggers"
then
  InvocationID=$(systemctl show "$Triggers" --property=InvocationID --value)
  echo $InvocationID
  ExitCode=$(systemctl show "$Triggers" -p ExecStartEx --value | sed 's/^{//' | sed 's/}$//' | tr ';' '\n' | xargs -n 1 | grep '^status=' | cut -d '=' -f 2)
  echo $ExitCode
  journalctl INVOCATION_ID="$InvocationID" --output cat
fi

telegraf: execd for daemons

TEST

git signing

git config --global gpg.format ssh git config --global commit.gpgsign true

git config user.name CroneKorkN git config user.email i@ckn.li git config user.signingkey "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILMVroYmswD4tLk6iH+2tvQiyaMe42yfONDsPDIdFv6I"