From 0b0c43c79bab8c430624ff53abdb72109fa4ea49 Mon Sep 17 00:00:00 2001
From: Daniel Togey <dannykosgei@gmail.com>
Date: Fri, 9 Jan 2026 00:04:01 +0300
Subject: [PATCH] chore(deploy): Relax security settings for rootless Podman
 support

- Remove strict security hardening to enable rootless Podman functionality
- Change NoNewPrivileges from true to false to allow user namespace operations
- Relax ProtectSystem from strict to full for container runtime compatibility
- Disable ProtectHome and PrivateTmp to support rootless container execution
- Add XDG_RUNTIME_DIR environment variable pointing to user runtime directory
- Update install.sh to dynamically create XDG_RUNTIME_DIR with proper permissions
- Retrieve narvana user's UID and substitute it in service file configuration
- Set correct ownership and permissions (700) on runtime directory for security
- These changes are necessary to support rootless Podman which requires relaxed security constraints while maintaining user namespace isolation
---
 deploy/narvana-worker.service | 12 ++++++------
 scripts/install.sh            | 12 +++++++++++-
 2 files changed, 17 insertions(+), 7 deletions(-)

diff --git a/deploy/narvana-worker.service b/deploy/narvana-worker.service
index ddf4200..081ee82 100644
--- a/deploy/narvana-worker.service
+++ b/deploy/narvana-worker.service
@@ -15,13 +15,13 @@ RestartSec=5
 # Environment
 EnvironmentFile=/etc/narvana/control-plane.env
 Environment=HOME=/opt/narvana
+Environment=XDG_RUNTIME_DIR=/run/user/1001
 
-# Security hardening
-NoNewPrivileges=true
-ProtectSystem=strict
-ProtectHome=true
-PrivateTmp=true
-ReadWritePaths=/var/log/narvana /var/lib/narvana/builds /opt/narvana
+# Security settings relaxed for rootless Podman (requires user namespaces)
+NoNewPrivileges=false
+ProtectSystem=full
+ProtectHome=false
+PrivateTmp=false
 
 [Install]
 WantedBy=multi-user.target
diff --git a/scripts/install.sh b/scripts/install.sh
index 69c12ad..70d4c8d 100755
--- a/scripts/install.sh
+++ b/scripts/install.sh
@@ -439,9 +439,19 @@ run_migrations() {
 setup_services() {
     log_info "Configuring systemd services..."
     
+    # Get narvana user's UID for XDG_RUNTIME_DIR
+    local NARVANA_UID=$(id -u narvana)
+    
+    # Create XDG_RUNTIME_DIR for rootless Podman
+    mkdir -p "/run/user/${NARVANA_UID}"
+    chown narvana:narvana "/run/user/${NARVANA_UID}"
+    chmod 700 "/run/user/${NARVANA_UID}"
+    
     cd "$INSTALL_DIR"
+    
+    # Update XDG_RUNTIME_DIR in service file with actual UID
+    sed "s|/run/user/1001|/run/user/${NARVANA_UID}|g" deploy/narvana-worker.service > /etc/systemd/system/narvana-worker.service
     cp deploy/narvana-api.service /etc/systemd/system/
-    cp deploy/narvana-worker.service /etc/systemd/system/
     cp deploy/narvana-web.service /etc/systemd/system/
     
     systemctl daemon-reload