From a6b0bbe86e6de90e9bcab2a1df9a4bed74b33e55 Mon Sep 17 00:00:00 2001 From: CodeMaster4711 Date: Tue, 24 Mar 2026 20:51:55 +0100 Subject: [PATCH 1/2] fix: agent error --- nixos-node/modules/csf-daemon.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/nixos-node/modules/csf-daemon.nix b/nixos-node/modules/csf-daemon.nix index 22f0626..2e7605b 100644 --- a/nixos-node/modules/csf-daemon.nix +++ b/nixos-node/modules/csf-daemon.nix @@ -98,6 +98,7 @@ in RestrictRealtime = true; SystemCallFilter = "@system-service"; ReadWritePaths = [ "/var/lib/csf-daemon" ]; + ReadOnlyPaths = [ "/var/lib/csf-updater/bin" ]; }; }; }; From bbb8694fc2c7a3a065c5a08af073d2009b8a9fd4 Mon Sep 17 00:00:00 2001 From: CodeMaster4711 Date: Tue, 24 Mar 2026 21:14:05 +0100 Subject: [PATCH 2/2] fix: updater error with images and pull --- control-plane/csf-updater/src/verify.rs | 12 ++++++++++++ nixos-node/modules/server-configuration.nix | 6 +++++- 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/control-plane/csf-updater/src/verify.rs b/control-plane/csf-updater/src/verify.rs index c074b47..5fae4e2 100644 --- a/control-plane/csf-updater/src/verify.rs +++ b/control-plane/csf-updater/src/verify.rs @@ -81,6 +81,18 @@ async fn remote_digest(client: &reqwest::Client, image: &str, tag: &str, ghcr_au } fn local_digest(image: &str) -> Result { + let pull = std::process::Command::new("docker") + .args(["pull", "--quiet", image]) + .output()?; + + if !pull.status.success() { + bail!( + "docker pull failed for {}: {}", + image, + String::from_utf8_lossy(&pull.stderr).trim() + ); + } + let output = std::process::Command::new("docker") .args(["image", "inspect", "--format", "{{json .RepoDigests}}", image]) .output()?; diff --git a/nixos-node/modules/server-configuration.nix b/nixos-node/modules/server-configuration.nix index 187728d..56a3153 100644 --- a/nixos-node/modules/server-configuration.nix +++ b/nixos-node/modules/server-configuration.nix @@ -102,6 +102,10 @@ in }; users.groups.csf-updater = {}; + systemd.tmpfiles.rules = [ + "d /var/lib/csf-updater 0710 csf-updater csf-daemon -" + ]; + systemd.services.csf-updater = { description = "CSF Control Plane Updater"; after = [ "docker.service" "network-online.target" "csf-control-plane.service" ]; @@ -158,7 +162,7 @@ in system.activationScripts.csf-binaries = { text = '' mkdir -p ${binDir} - chown csf-updater:csf-updater ${binDir} + chown csf-updater:csf-daemon ${binDir} chmod 750 ${binDir} if [ ! -f ${binDir}/csf-updater ]; then cp ${csfUpdaterBin}/bin/csf-updater ${binDir}/csf-updater