Unfortunately, with OJF requiring all kinds of network address families1, systemd-analyze security onlyjunk-fans.service is no longer SAFE, only OK. But at a rating of 1.6, it's still good, only Postgres tops it with 1.3.
Mostly pointless metric, but it was fun to restrict it as much as possible.
AF_UNIX to notify systemd, AF_NETLINK to talk to the kernel about WireGuard, and AF_INET + AF_INET6 to perform its reverse proxy duties. ↩︎
But back to most pressing topics... updating the wireguard key is... challenging. On the API side, I need to differentiate between the payload having a wg_pubkey property set to null (= delete wg pubkey) and the payload not having the property set (= don't touch the pubkey).
This makes serde somewhat unhappy, so the next best thing I can do is treat {"wg_pubkey": ""} as clear. That means that an explicit {"wg_pubkey": null} will be the same as if there wasn't a wg_pubkey prop at all.
Aand this is now deployed on OJF.
Unfortunately, with OJF requiring all kinds of network address families1, systemd-analyze security onlyjunk-fans.service is no longer SAFE, only OK. But at a rating of 1.6, it's still good, only Postgres tops it with 1.3.
Mostly pointless metric, but it was fun to restrict it as much as possible.
AF_UNIX to notify systemd, AF_NETLINK to talk to the kernel about WireGuard, and AF_INET + AF_INET6 to perform its reverse proxy duties. ↩︎
Now, if Pingora would be able to use passed fds... I'd still need all network addresses, because I'm making outbound connections too.
But I could remove the CAP_NET_BIND_SERVICE capability. ...but would still need CAP_NET_ADMIN to talk to the kernel about WireGuard.
I guess I wouldn't win much with socket activation.
Mnngh. Things don't wanna ping.
