I’m trying to find a better solution to manage configuration files, both user’s dotfiles and system files in /etc. I’m running an ubuntu server where I have a bunch services with custom configurations, and systemd drop-in files, but on top of that I also have some scripts and user dotfiles that I need to track.

What I’m doing right now is that I have a folder full of symlinks in the admin user’s directory (poor username choice, btw) and I’m using bindfs to mount this directory inside a git repository, this way git won’t see them as symlinks, and will version them as regular files. The problem with doing this is that as git deletes and rewrites files, bindfs fails to track the changes and converts the symlink to regular files.

I looked into chezmoi, but that is only meant to track user dotfiles and will refuse to add a file from /etc, that is unless doing some extra work. But even so, chezmoi will not track the user:group of files, so I would still have to manage that manually.

I also looked into GNU Stow, and that would not complain about files from /etc or anywhere, but it similarly will not track permissions and I would have to manage that manually.

I see that some people are using ansible to manage dotfiles, but at that point, it would make sense to just migrate to ansible, except I don’t want to rebuild my server from scratch to use ansible. Also it looks like a lot to learn.

Is there a better solution I’m not seeing? Maybe something using git hooks?

Edit:

I ended up using pre-commit and post-merge git hooks to launch a python script. The python script reads from a yaml file where I annotate the file paths and permissions, and then copies to or from the file location to the git repository.

I used the sudoers file to allow the admin user to run this specific script with specific arguments as root without password (because the git commands are run from VS Code and not manually), which is dangerous, be careful when doing that. I have taken special care to make this secure:

  • I used absolute paths for everything, to avoid allowing running from a different pwd as a way to copy different files
  • The script itself is installed in a root-owned location, so an unprevileged user cannot edit it
  • The configuration yaml is root-owned, so an unprevileged user cannot modify which files are copied or their permissions
  • Configuration files that can grant permission are not managed by this script (the yaml, /etc/passwd, /etc/groups, polkit rules, the sudoers file, …)
  • edinbruh@feddit.itOP
    link
    fedilink
    English
    arrow-up
    3
    ·
    19 days ago

    The server in question is a raspberry with 4 gigabytes of ram, so I will need to use containers very sparingly. Basically I’m using podman quadlets only for those services that really only comes in containers (which for now means only codimd, overleaf, and zigbee2mqtt), and I’m running everything else on metal. But even with containers, I would still need to manage container configurations, network, firewall, file sharing permissions, etc. just like I did without containers.

    • bruce965@lemmy.ml
      link
      fedilink
      arrow-up
      1
      ·
      19 days ago

      Ah I see… I keep container configs in a specific directory, which contains one directory per-service, which contain all the config files + a compose.yml file to place them in the correct path in the container. I could commit everything to Git if I wanted to.

      Regarding network and firewall, you could make a symlink to a versioned file and keep your config with the containers. Same for firewall rules.

      I’m not sure what you mean by file sharing permissions. With containers you could give a different user to each service.

      If you are worried about memory and disk usage, another option I’ve been exploring recently is using OverlayFS, which, among other things, allows you to inject a directory at a specific path. Again, this would let you keep all your configs where you fancy the best. I use it through Bubblewrap.

      Anyways I realize that what I just described is far from standard… hopefully other users will suggest something less custom.