run semaphore as unpriv user

2025-11-04 08:02:28 +01:00 · 2023-08-24 21:36:04 +02:00
parent 1bc031af17
commit 0868002464
1 changed files with 5 additions and 0 deletions
--- a/src/ansible-semaphore/install-service.sh
+++ b/src/ansible-semaphore/install-service.sh
@@ -52,6 +52,9 @@ fi
 EOF
 chmod +x /usr/local/bin/update-semaphore

+useradd -m -r -s /bin/bash semaphore
+sudo -s -u semaphore bash -c 'ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 -q -N ""'
+
 cat << EOF > /etc/apt/apt.conf.d/80-semaphore-apt-hook
 DPkg::Post-Invoke {"/usr/local/bin/update-semaphore";};
 EOF
@@ -70,6 +73,8 @@ ExecReload=/bin/kill -HUP \$MAINPID
 ExecStart=/usr/bin/semaphore service --config=/etc/semaphore/config.json
 SyslogIdentifier=semaphore
 Restart=always
+User=semaphore
+Group=semaphore

 [Install]
 WantedBy=multi-user.target