2026-02-07T19:21:11  <matrix-o-o> <Lubos Kocman> Hello folks, one Q, letsencrypt keys are owned by cert:root with quite restrictive perms 640. kudos are run under kudos. Ideally we'd chgrp it to kudos, but I'm worried that this will get overwritten on next letsencrypt refresh. What's the best practice in cases where app is not running under root?
2026-02-07T19:21:15  <matrix-o-o> <Lubos Kocman> (given the salt nature of our infra)
2026-02-07T19:27:38  <matrix-o-o> <Lubos Kocman> I noticed https://paste.opensuse.org/pastes/ff10eca02d68 (if you don't have vpn around) or https://gitlab.infra.opensuse.org/infra/salt/-/blob/production/salt/profile/dehydrated/target.sls?ref_type=heads#L68
2026-02-07T19:27:41  <matrix-o-o> Perhaps this would be a way
2026-02-07T19:43:54  <matrix-o-o> <Lubos Kocman> https://gitlab.infra.opensuse.org/infra/salt/-/merge_requests/2711 (chgrp) there I could use some suggestions. I'm not sure if this is the right way. And the port change based on acidsys saying "interesting choice" :-))) yesterday https://gitlab.infra.opensuse.org/infra/salt/-/merge_requests/2710 (8080 -> 443)
2026-02-07T20:23:06  <acidsys> LubosKocman: we use acls for this, in salt/profile/dehydrated/target.sls there is a crtkey_acl macro already for some other services using their own user/group
2026-02-07T20:23:57  <acidsys> are you sure about 443, because the user typically cannot bind to low ports unless you add capabilities, typically it would be some high port