-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
systemd user units #58
Labels
Milestone
Comments
arcticicestudio
added a commit
that referenced
this issue
Nov 15, 2017
This commit for the new "systemd" (1) snowblock includes user service (2) units (3) to 1. automount the "sync" gocryptfs (4) volume located in the Dropbox (5) folder receiving the password stored in the GNOME Keyring (6) via the "secret-tool" ("libsecret" (7)). 2. automatically run a instance of the "ssh-agent" (8) using the "$SSH_AUTH_SOCK" and let systemd manage the "$SSH_AGENT_PID env. >>> snowsaw core plugin configuration >>>> clean The target path "~/.config/systemd/user" is cleaned before the "link" core plugin execution. >>>> link The target paths "~/.config/systemd/user" for all unit files will be created by snowsaw if they doesn't exist yet. The "igloosync-dropbox.service" unit file will be linked for the "archbook" and "igloo" hosts while the "ssh-agent.service" file is linked by default. References: (1) https://wiki.archlinux.org/index.php/Systemd (2) https://www.freedesktop.org/software/systemd/man/systemd.service.html (3) https://www.freedesktop.org/software/systemd/man/systemd.unit.html (4) https://github.com/rfjakob/gocryptfs (5) https://www.dropbox.com (6) https://wiki.archlinux.org/index.php/GNOME/Keyring (7) https://wiki.gnome.org/Projects/Libsecret (8) https://wiki.archlinux.org/index.php/SSH_keys#ssh-agent GH-58
arcticicestudio
added a commit
that referenced
this issue
Nov 16, 2017
This commit for the new "systemd" (1) snowblock includes user service (2) units (3) to 1. automount the "sync" gocryptfs (4) volume located in the Dropbox (5) folder receiving the password stored in the GNOME Keyring (6) via the "secret-tool" ("libsecret" (7)). 2. automatically run a instance of the "ssh-agent" (8) using the "$SSH_AUTH_SOCK" and let systemd manage the "$SSH_AGENT_PID env. The new snowblock includes a documentation to describe the requirements for the "igloosync-dropbox.service" file. It contains information * about how to create the required "gocryptfs" password stored- and received via "secret-tool" * about how to configure FUSE (9) (libfuse (10)) with the "/etc/fuse.conf" file to allow non-root users to specify the "allow_other" or "allow_root" mount options which overrides the security measure restricting file access to the filesystem owner, so that all users (including root) can access the files. >>> snowsaw core plugin configuration >>>> clean The target path "~/.config/systemd/user" is cleaned before the "link" core plugin execution. >>>> link The target paths "~/.config/systemd/user" for all unit files will be created by snowsaw if they doesn't exist yet. The "igloosync-dropbox.service" unit file will be linked for the "archbook" and "igloo" hosts while the "ssh-agent.service" file is linked by default. References: (1) https://wiki.archlinux.org/index.php/Systemd (2) https://www.freedesktop.org/software/systemd/man/systemd.service.html (3) https://www.freedesktop.org/software/systemd/man/systemd.unit.html (4) https://github.com/rfjakob/gocryptfs (5) https://www.dropbox.com (6) https://wiki.archlinux.org/index.php/GNOME/Keyring (7) https://wiki.gnome.org/Projects/Libsecret (8) https://wiki.archlinux.org/index.php/SSH_keys#ssh-agent (9) https://en.wikipedia.org/wiki/Filesystem_in_Userspace (10) https://github.com/libfuse/libfuse GH-58
arcticicestudio
added a commit
that referenced
this issue
Nov 16, 2017
…r-units systemd user unit services
arcticicestudio
added a commit
that referenced
this issue
Sep 15, 2018
Created a new snowblock for launchd (1) snowblock includes a user agent defining a job to auto-mount the `sync` gocryptfs (2) volume located in the Dropbox (3) folder receiving the password stored in the macOS Keychain (4) via the macOS builtin system CLI tool `security`. It also includes a documentation to describe the requirements for the `com.arcticicestudio.igloo.launchd.igloosync` agent. It consists of information about dependencies and how to create the required `gocryptfs` password stored- and received via the macOS builtin system CLI tool `security`. Note that this is a macOS specific snowblock and therefore the `com.arcticicestudio.igloo.launchd.igloosync-dropbox.plist` agent and script file will only be linked for the `iceowl` host. References: (1) https://wiki.freebsd.org/launchd (2) https://github.com/rfjakob/gocryptfs (3) https://www.dropbox.com (4) https://support.apple.com/guide/keychain-access/welcome/mac * http://www.launchd.info * launchd(1) * launchd.plist(5) * security(1) Epic: GH-131 Related to GH-58 Closes GH-133
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The new systemd snowblock should include user service units to
sync
gocryptfs volume located in the Dropbox folder receiving the password stored in the GNOME keyring viasecret-tool
(libsecret
). The service unit should be namedigloosync-dropbox
.ssh-agent
using the$SSH_AUTH_SOCK
and let systemd manage the$SSH_AGENT_PID
envThe new snowblock should include a documentation to describe the requirements for the
igloosync-dropbox.service
file. It should contain informationgocryptfs
password stored- and received viasecret-tool
/etc/fuse.conf
file to allow non-root users to specify theallow_other
orallow_root
mount options which overrides the security measure restricting file access to the filesystem owner, so that all users (including root) can access the files. This is necessary to access the files of the mountedgocryptfs
volume with applications that are run viasudo
. It is used in the pacman snowblock for the local package repository to prevent a Permission Denied exception when runningpacman
(e.g.sudo pacman -Sy
) if thegocryptfs
volume is not mounted with the-allow_other
option. Please note thatlibfuse
has a unresolved security bug when using theallow_other
mount option as described in the official documentation, but is of little concern if the filesystem is accessible only to the mounting user which is the case since these are dotfiles for a personal system:snowsaw core plugin configuration
clean
The target path
~/.config/systemd/user
should be cleaned before thelink
core plugin execution.link
The target paths
~/.config/systemd/user
for all unit files should be created by snowsaw if they doesn't exist yet.The
igloosync-dropbox.service
unit file should only be linked for thearchbook
andigloo
hosts while thessh-agent.service
file should be linked by default.The text was updated successfully, but these errors were encountered: