From 08680024642361caabf0d72b6db17828e326051e Mon Sep 17 00:00:00 2001
From: thorstenspille <thorsten@spille-edv.de>
Date: Thu, 24 Aug 2023 21:36:04 +0200
Subject: [PATCH] run semaphore as unpriv user

---
 src/ansible-semaphore/install-service.sh | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/ansible-semaphore/install-service.sh b/src/ansible-semaphore/install-service.sh
index c3a05ad..1b316a4 100644
--- a/src/ansible-semaphore/install-service.sh
+++ b/src/ansible-semaphore/install-service.sh
@@ -52,6 +52,9 @@ fi
 EOF
 chmod +x /usr/local/bin/update-semaphore
 
+useradd -m -r -s /bin/bash semaphore
+sudo -s -u semaphore bash -c 'ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 -q -N ""'
+
 cat << EOF > /etc/apt/apt.conf.d/80-semaphore-apt-hook
 DPkg::Post-Invoke {"/usr/local/bin/update-semaphore";};
 EOF
@@ -70,6 +73,8 @@ ExecReload=/bin/kill -HUP \$MAINPID
 ExecStart=/usr/bin/semaphore service --config=/etc/semaphore/config.json
 SyslogIdentifier=semaphore
 Restart=always
+User=semaphore
+Group=semaphore
 
 [Install]
 WantedBy=multi-user.target