From cea86f22b4302ca71bdf313bde4d0c08ba08ddf3 Mon Sep 17 00:00:00 2001 From: Bruno Postle Date: Sun, 7 Jun 2026 22:40:49 +0100 Subject: [PATCH] Document service account approach for private repo access in systemd deployments Co-Authored-By: Claude Sonnet 4.6 --- README.md | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/README.md b/README.md index b4706b2..47f9a8d 100644 --- a/README.md +++ b/README.md @@ -290,6 +290,29 @@ For private repositories, configure tokens per host in `~/.config/ifcurl/tokens. { "hosts": { "github.com": "ghp_…", "gitlab.example.com": "glpat_…" } } ``` +**systemd deployment:** the service user typically has no home directory (`ProtectHome=yes`), so `~/.config` is inaccessible. The recommended approach for a server is a dedicated read-only Forgejo account (e.g. `ifcurl-bot`) added as a member of any private repositories that should be renderable. Generate an API token for that account and configure it as follows. + +Set `XDG_CONFIG_HOME` to a readable path in the environment file (e.g. `/etc/ifcurl/env`) and ensure the file is readable by the service user: + +``` +XDG_CONFIG_HOME=/etc/ifcurl +``` + +```bash +chown root:ifcurl /etc/ifcurl/env +chmod 640 /etc/ifcurl/env +``` + +Then create `/etc/ifcurl/ifcurl/tokens.json` with the service account token: + +```bash +mkdir -p /etc/ifcurl/ifcurl +echo '{"hosts":{"git.example.com":""}}' > /etc/ifcurl/ifcurl/tokens.json +chown root:ifcurl /etc/ifcurl/ifcurl/tokens.json +chmod 640 /etc/ifcurl/ifcurl/tokens.json +systemctl restart ifcurl-api +``` + --- ## Development