overview for ftbd

Ich habe das so wahrgenommen, dass sie die 'Gegenseite' bzw. das, was die Boomer zuhause vlt denken mal auf den Tisch bringen wollten. Und bis auf einige Wiederholungen durch Missverständnisse hat sie darauf doch auch sehr sinnvoll reagiert.

My spoon is too big. in c/science_memes@mander.xyz

[–] ftbd@feddit.org 3 points 1 day ago

Isn't g typically used for the gravity of earth? And G for the general gravitational constant (independent of mass) in Newton's gravity law?

It hurts y'all in c/lemmyshitpost@lemmy.world

[–] ftbd@feddit.org 2 points 3 days ago

Never skip back day

Recycled copper in c/historymemes@lemmy.world

[–] ftbd@feddit.org 3 points 3 days ago (4 children)

Yes, but that is BC. What then is 'pre BC'?

Neuer Gesetzentwurf: Pistorius definiert Kriterien für Wehrpflicht in c/deutschland@feddit.org

[–] ftbd@feddit.org 13 points 3 days ago (2 children)

Ich habe aus der Politik aber noch kein "wir wollen Wehrpflicht für alle, kriegen da aber momentan keine Mehrheit für. Das wird dann schnellstmöglich nachgeholt" gehört

Elon Musk’s Grok Is Calling for a New Holocaust in c/technology@beehaw.org

[–] ftbd@feddit.org 20 points 3 days ago (3 children)

But it means that such machines should not be live on twitter. Unless whoever runs twitter and this bot wants fash content on there.

🐧> 🪟 in c/linuxmemes@lemmy.world

[–] ftbd@feddit.org 1 points 3 days ago (1 children)

With LUKS, your boot/efi partition is still unencrypted. So someone could install a malicious bootloader, and you probably wouldn't know and would enter your password. With secure boot, the malicious bootloader won't boot because it has no valid signature.

29

Containers in NixOS (feddit.org)

submitted 1 month ago by ftbd@feddit.org to c/selfhosted@lemmy.world

6 comments fedilink

Hi everyone!

I'm in the process of finally doing containers right in my NixOS installation. This is my 'wishlist':

podman containers should be run by users with minimal permissions
separate user per container
containers managed by systemd services for easier management

My current work-in-progress setup looks like this:

For each service (called $name), I have:

a user and corresponding group (referred to as $uid in the following)
a directory /srv/$name owned by $uid, in which mounted volumes are located

My containers are declared like this:

virtualisation.oci-containers.containers = {
    $name = {
        image = ...;
        ports = [ ... ];
        volumes = [
            "/srv/${name}/config:/config"
            ...
        ];
        user = $uid:$gid;
        extraOptions = [
            "--security-opt=no-new-privileges:true"
        ];
    };
};

Now for the parts I don't fully understand yet:

some images allow setting environment.PUID to specify a user. Does setting this option (and not setting user=$uid in the container declaration itself) mean that the container will be run as root, and the program inside will merely use PUID when e.g. creating files? This would still allow a malicious container to run commands as root on the host, right?
virtualisation.oci-containers.containers creates a systemd service. Since this is not a user-service for my user $uid, I need sudo to start/stop the container. Does that mean that the systemd service is run with root permissions, but it executes the command to spawn the container as $uid? If whatever is running inside the container was malicious, is there a functional difference between the container being started 'by root as $uid' and it being started by me (after logging in as $uid)?
Is it feasible to make these systemd services user-services owned by $uid instead?
Are there further hardening steps I forgot about?

Thanks for your input!