Skip to main content

max / makenotwork

deploy: bake Session-3 git-SSH fixes into bootstrap Two surfaces were silently broken after the Session 3 FHS migration: mnw-cli.service had ReadWritePaths=/opt/git but creator git pushes now land in /var/lib/mnw/git (the rsynced target). Inside mnw-cli's systemd namespace that path is read-only, so git-receive-pack failed with EROFS ("unable to create temporary object directory") for every push. Add /var/lib/mnw to the unit's ReadWritePaths. bootstrap-node.sh creates /etc/mnw mode 0750 root:SERVICE_USER. On a host that also runs git SSH (i.e. prod), the git user is neither owner nor in the service group, so mnw-admin git-auth could not load DATABASE_URL from /etc/mnw/makenotwork.env and panicked on every SSH invocation. Apply ACLs (u:git:x on the dir, u:git:r on the env file) when a git user exists. Conditional + idempotent. Both fixes were applied live to prod tonight as a drop-in and ad-hoc setfacl calls; this commit codifies them for the next bootstrap. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Author: Max Johnson <me@maxj.phd> · 2026-06-03 03:51 UTC
Commit: 445bfb788e1347ffb704522e6e83892b5a910ecf
Parent: bfba435
2 files changed, +13 insertions, -1 deletion
M mnw-cli/deploy/mnw-cli.service +1 -1
@@ -24,7 +24,7 @@ NoNewPrivileges=false
24 24 ProtectSystem=strict
25 25 ProtectHome=true
26 26 PrivateTmp=true
27 - ReadWritePaths=/opt/mnw-cli /var/lib/mnw-cli /opt/git
27 + ReadWritePaths=/opt/mnw-cli /var/lib/mnw-cli /opt/git /var/lib/mnw
28 28 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
29 29 RestrictNamespaces=true
30 30 RestrictRealtime=true
M sando/deploy/bootstrap-node.sh +12
@@ -118,6 +118,18 @@ install -d -o "$SERVICE_USER" -g "$SERVICE_USER" -m 0755 "$DEPLOY_ROOT" "$DEPLOY
118 118 install -d -o root -g "$SERVICE_USER" -m 0750 "$ETC_DIR"
119 119 install -d -o "$SERVICE_USER" -g "$SERVICE_USER" -m 0750 "$STATE_DIR"
120 120
121 + # If the git user exists (i.e. this host runs git SSH), grant it read access
122 + # to the env file via ACL so mnw-admin git-auth can load DATABASE_URL. The git
123 + # user is neither owner nor in the SERVICE_USER group, so without this the
124 + # /etc/mnw/makenotwork.env is unreadable and every `git push` panics with
125 + # "DATABASE_URL must be set". Conditional + idempotent.
126 + if getent passwd git >/dev/null; then
127 + setfacl -m u:git:x "$ETC_DIR"
128 + if [ -f "$ENV_FILE" ]; then
129 + setfacl -m u:git:r "$ENV_FILE"
130 + fi
131 + fi
132 +
121 133 log "6/8 sudoers (systemctl on $SERVICE_NAME for $SERVICE_USER)"
122 134 cat > "/etc/sudoers.d/${SERVICE_USER}-mnw" <<EOF
123 135 $SERVICE_USER ALL=(ALL) NOPASSWD: /bin/systemctl reload-or-restart $SERVICE_NAME, /bin/systemctl restart $SERVICE_NAME, /bin/systemctl status $SERVICE_NAME