diff --git a/deploy.sh b/deploy.sh index 2e1005a..848f60c 100755 --- a/deploy.sh +++ b/deploy.sh @@ -129,11 +129,12 @@ echo " $LAUNCHER -> $REPO_DIR/bin/pipekit" # ── 6. Secrets file ─────────────────────────────────────────────────────────── step "Secrets file" -install -d -m 0755 "$CONFIG_DIR" +install -d -m 0775 "$CONFIG_DIR" +chown "root:$SERVICE_NAME" "$CONFIG_DIR" if [ ! -f "$SECRETS_FILE" ]; then echo " Creating $SECRETS_FILE (mode 0640, group $SERVICE_NAME)" install -m 0640 /dev/null "$SECRETS_FILE" - chown "root:$SERVICE_NAME" "$SECRETS_FILE" + chown "$SERVICE_NAME:$SERVICE_NAME" "$SECRETS_FILE" cat > "$SECRETS_FILE" <<'EOF' # pipekit secrets — loaded by the systemd unit as EnvironmentFile. # Connection passwords are stored as $KEY references in the DB. @@ -141,9 +142,9 @@ if [ ! -f "$SECRETS_FILE" ]; then EOF else echo " $SECRETS_FILE already exists — keeping contents." - chown "root:$SERVICE_NAME" "$SECRETS_FILE" + chown "$SERVICE_NAME:$SERVICE_NAME" "$SECRETS_FILE" chmod 0640 "$SECRETS_FILE" - echo " Permissions ensured: 0640 group $SERVICE_NAME." + echo " Permissions ensured: 0640 owner $SERVICE_NAME." fi # ── 7. Schema init ──────────────────────────────────────────────────────────── diff --git a/pipekit/cli.py b/pipekit/cli.py index 5dcea57..b7ec900 100644 --- a/pipekit/cli.py +++ b/pipekit/cli.py @@ -226,7 +226,6 @@ def cmd_secrets_set(args) -> int: if os.path.exists(path): st = os.stat(path) os.chmod(tmp, stat.S_IMODE(st.st_mode)) - os.chown(tmp, st.st_uid, st.st_gid) else: os.chmod(tmp, 0o640) os.replace(tmp, path)