steve/restic-manager
1
0
Fork 0
Code Issues Pull Requests Actions Projects Releases 1 Wiki Activity

P6-01 + P6-02: agent self-update + fleet update #19

Merged
steve merged 12 commits from p6-agent-self-update into main 2026-05-07 17:49:25 +01:00
Conversation 0 Commits 12 Files Changed 47
+6 -1
1 changed files with 6 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit 83d97a27cc - Show all commits
deploy/install/restic-manager-agent.service
+6 -1
View File
@@ -52,7 +52,12 @@ ProtectSystem=full
# whenever a new SecretsKey is minted, so we need a targeted # whenever a new SecretsKey is minted, so we need a targeted
# write-exemption for that dir. No exemption for the rest of /etc: # write-exemption for that dir. No exemption for the rest of /etc:
# the agent has no business editing /etc/passwd, /etc/sudoers, etc. # the agent has no business editing /etc/passwd, /etc/sudoers, etc.
ReadWritePaths=/etc/restic-manager #
# /usr/local/bin is writable so the self-update flow (P6-01) can
# atomic-rename a fresh binary over the running one. Permitting the
# whole directory (rather than just the binary path) is required
# because os.Rename takes a write lock on the parent dir.
ReadWritePaths=/etc/restic-manager /usr/local/bin
ProtectHostname=true ProtectHostname=true
ProtectKernelTunables=true ProtectKernelTunables=true
ProtectKernelModules=true ProtectKernelModules=true