fix: Remove "coder" user and group from systemd service

kylecarbs · kylecarbs · commit 51c1ed6ac243 · 2022-03-24T23:50:26.000Z
This caused an inability to listen on privileged ports and read certs
from LetsEncrypt. It seems more hurtful rather than helpful, so
removing the restriction seems reasonable.
diff --git a/cli/start.go b/cli/start.go
@@ -161,6 +161,7 @@ func start() *cobra.Command {
 				client.HTTPClient.Transport = &http.Transport{
 					TLSClientConfig: tlsConfig,
 				}
+				client.URL = accessURLParsed
 			}
 
 			provisionerDaemons := make([]*provisionerd.Server, 0)
@@ -211,15 +212,13 @@ func start() *cobra.Command {
 				// such as via the systemd service.
 				_ = config.URL().Write(client.URL.String())
 
-				hasFirstUser, err := client.HasFirstUser(cmd.Context())
-				if err != nil {
-					return xerrors.Errorf("check for first user: %w", err)
-				}
-
 				_, _ = fmt.Fprintf(cmd.OutOrStdout(), cliui.Styles.Paragraph.Render(cliui.Styles.Wrap.Render(cliui.Styles.Prompt.String()+`Started in `+
 					cliui.Styles.Field.Render("production")+` mode. All data is stored in the PostgreSQL provided! Press `+cliui.Styles.Field.Render("ctrl+c")+` to gracefully shutdown.`))+"\n")
 
-				if !hasFirstUser {
+				hasFirstUser, err := client.HasFirstUser(cmd.Context())
+				if !hasFirstUser && err == nil {
+					// This could fail for a variety of TLS-related reasons.
+					// This is a helpful starter message, and not critical for user interaction.
 					_, _ = fmt.Fprint(cmd.OutOrStdout(), cliui.Styles.Paragraph.Render(cliui.Styles.Wrap.Render(cliui.Styles.FocusedPrompt.String()+`Run `+cliui.Styles.Code.Render("coder login "+client.URL.String())+" in a new terminal to get started.\n")))
 				}
 			}
diff --git a/coder.service b/coder.service
@@ -10,15 +10,13 @@ StartLimitBurst=3
 [Service]
 Type=notify
 EnvironmentFile=/etc/coder.d/coder.env
-User=coder
-Group=coder
 ProtectSystem=full
 ProtectHome=read-only
 PrivateTmp=yes
 PrivateDevices=yes
 SecureBits=keep-caps
-AmbientCapabilities=CAP_IPC_LOCK CAP_NET_BIND_SERVICE
-CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
+AmbientCapabilities=CAP_IPC_LOCK
+CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK CAP_NET_BIND_SERVICE
 NoNewPrivileges=yes
 ExecStart=/usr/bin/coder start
 Restart=on-failure

Original file line number	Diff line number	Diff line change
`@@ -161,6 +161,7 @@ func start() *cobra.Command {`
`161`	`161`	`client.HTTPClient.Transport = &http.Transport{`
`162`	`162`	`TLSClientConfig: tlsConfig,`
`163`	`163`	`}`
	`164`	`+ client.URL = accessURLParsed`
`164`	`165`	`}`
`165`	`166`
`166`	`167`	`provisionerDaemons := make([]*provisionerd.Server, 0)`
`@@ -211,15 +212,13 @@ func start() *cobra.Command {`
`211`	`212`	`// such as via the systemd service.`
`212`	`213`	`_ = config.URL().Write(client.URL.String())`
`213`	`214`
`214`		`- hasFirstUser, err := client.HasFirstUser(cmd.Context())`
`215`		`- if err != nil {`
`216`		`- return xerrors.Errorf("check for first user: %w", err)`
`217`		`- }`
`218`		`-`
`219`	`215`	_, _ = fmt.Fprintf(cmd.OutOrStdout(), cliui.Styles.Paragraph.Render(cliui.Styles.Wrap.Render(cliui.Styles.Prompt.String()+`Started in `+
`220`	`216`	cliui.Styles.Field.Render("production")+` mode. All data is stored in the PostgreSQL provided! Press `+cliui.Styles.Field.Render("ctrl+c")+` to gracefully shutdown.`))+"\n")
`221`	`217`
`222`		`- if !hasFirstUser {`
	`218`	`+ hasFirstUser, err := client.HasFirstUser(cmd.Context())`
	`219`	`+ if !hasFirstUser && err == nil {`
	`220`	`+ // This could fail for a variety of TLS-related reasons.`
	`221`	`+ // This is a helpful starter message, and not critical for user interaction.`
`223`	`222`	_, _ = fmt.Fprint(cmd.OutOrStdout(), cliui.Styles.Paragraph.Render(cliui.Styles.Wrap.Render(cliui.Styles.FocusedPrompt.String()+`Run `+cliui.Styles.Code.Render("coder login "+client.URL.String())+" in a new terminal to get started.\n")))
`224`	`223`	`}`
`225`	`224`	`}`