soopy.moe
1<!--
2 vim:fileencoding=utf-8:foldmethod=marker
3-->
4
5## using sops-nix or other stuff to pass big chungus files to services with DynamicUser=true
6
7afaik this is not possible.
8
9The option that makes the most sense, LoadCredentials only supports files up to 1 MB in size.
10([relevant documentation (`systemd.exec(5)`)](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#LoadCredential=ID:PATH:~:text=Currently%2C%20an,is%20enforced))
11
12Without that option, we are only left with giving a user access to the file somehow.
13
14Doing that directly via systemd is not possible either. We cannot get the dynamic user's id in a ExecStartPre hook with the `+` prefix to `chown` the file.
15The user is ran with root privileges and there are no signs of the final ephemeral user id. the same happens with
16ones prefixed with `!`.
17
18```admonish note
19While the `!` syntax do preallocate a dynamic user, we cannot use it to change any permissions. (at least per my last attempt)
20```
21
22<!--
23 This is a vim fold. press z+o to open, z+c to close.
24 Terminal output {{{
25-->
26~~~admonish tldr title="Terminal Output" collapsible=true
27```ShellSession
28cassie in marisa in ~ took 1s
29✗ 1 ➜ systemd-run -pPrivateTmp=true -pDynamicUser=true --property="SystemCallFilter=@system-service ~@privileged ~@resources" -pExecStartPre="+env" -pPrivateUsers=true -t bash
30
31Running as unit: run-u1196.service
32Press ^] three times within 1s to disconnect TTY.
33LANG=en_US.UTF-8
34PATH=/usr/local/sbin:/usr/local/bin:/usr/bin
35LOGNAME=run-u1196
36USER=run-u1196
37[...]
38^C%
39
40cassie in marisa in ~ took 2s
41➜ systemd-run -pPrivateTmp=true -pDynamicUser=true --property="SystemCallFilter=@system-service ~@privileged ~@resources" -pExecStartPre="\!env" -pPrivateUsers=true -t bash
42
43Running as unit: run-u1200.service
44Press ^] three times within 1s to disconnect TTY.
45LANG=en_US.UTF-8
46PATH=/usr/local/sbin:/usr/local/bin:/usr/bin
47LOGNAME=run-u1200
48USER=run-u1200
49[...]
50^C%
51
52cassie in marisa in ~ took 2s
53➜ systemd-run -pPrivateTmp=true -pDynamicUser=true -pSystemCallFilter=@system-service -pSystemCallFilter=~@privileged -pSystemCallFilter=~@resources -pExecStartPre="\!bash -c 'echo \$UID'" -pPrivateUsers=true -t bash -c "ls"
54
55Running as unit: run-u1236.service
56Press ^] three times within 1s to disconnect TTY.
570
58^C%
59
60cassie in marisa in ~ took 4s
61➜ systemd-run -pPrivateTmp=true -pDynamicUser=true -pSystemCallFilter=@system-service -pSystemCallFilter=~@privileged -pSystemCallFilter=~@resources -pExecStartPre="+bash -c 'echo \$UID'" -pPrivateUsers=true -t bash -c "ls"
62
63Running as unit: run-u1241.service
64Press ^] three times within 1s to disconnect TTY.
650
66^C%
67```
68~~~
69<!--
70 }}}
71-->
72
73So now, we are left with the only option, which is to create a non-ephemeral user, assign it to the unit and disable DynamicUser.
74This step is a little involved, you will have to add a user option to the service and forcibly disable DynamicUser.
75
76I opted to replace the entire module file with my own under a different name, as I had to fix a mistake in it anyways.
77Here's the link to [the modified source file.](https://github.com/soopyc/mystia/blob/a999736/modules/fixups/nitter.nix)
78For clarity's sake, [this is the diff of the changes made.](https://github.com/soopyc/mystia/compare/3be5eef..a999736)