Previously some modules used `config.environment.etc."ssl/certs/ca-certificates.crt".source`, some used `"/etc/ssl/certs/ca-certificates.crt"`, and some used `"${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"`. These were all bad in one way or another:
- `config.environment.etc."ssl/certs/ca-certificates.crt".source` relies on `source` being set; if `text` is set instead this breaks, introducing a weird undocumented requirement
- `"/etc/ssl/certs/ca-certificates.crt"` is probably okay but very un-nix. It's a magic string, and the path doesn't change when the file changes (and so you can't trigger service reloads, for example, when the contents change in a new system activation)
- `"${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"` silently doesn't include the options from `security.pki`
Co-authored-by: Shelvacu <git@shelvacu.com>
Make the cloudflared tunnel service use systemd credentials and dynamic
users, removing the services.cloudflared.user and .group option.
Also add an option to provide the cert.pem file, without which tunnels
defined declaratively would not work.
Additionally, add an assertion checking that the certificate file is
provided if there are declarative routes defined.
Closes#259770Closes#207050
The motivation for the former is to not execute the container as root,
so you don't have to `sudo -i` to perform podman management tasks.
The idea behind healthchecks is to be able to keep the unit in the
activating state until the container is healthy, only then then unit is
marked as active.
The following changes were necessary:
* Move the ctr-id into `/run/${containerName}` to make podman can
actually write to it since it's now in its RuntimeDirectory.
* Make `sdnotify` option configurable (`healthy` for healthchecks that
must pass, default remains `conmon`).
* Set Delegate=yes for `sdnotify=healthy` to make sure a rootless
container can actually talk to sd_notify[1].
* Add a warning that lingering must be enabled to have a `systemd --user`
instance running which is required for the cgroup support to work
properly.
* Added a testcase for rootless containers with both conmon and
healthchecks.
[1] https://github.com/containers/podman/discussions/20573#discussioncomment-7612481
