Nsscash is very careful when deploying the changes:
- All files are updated using the standard "write to temporary file", "sync",
- "rename" steps which is atomic on UNIX file systems.
+ "rename" steps which is atomic on UNIX file systems. The indices are stored
+ in the same file preventing stale data during the update.
- All errors cause an immediate abort ("fail fast") with a proper error
message and a non-zero exit status. This prevents hiding possibly important
errors. In addition all files are fetched first and then deployed to try to
prevent inconsistent state if only one file can be downloaded. The state
- file (containing last file modifications) is only updated when all
- operations were successful.
+ file (containing last file modification and content hash) is only updated
+ when all operations were successful.
- To prevent unexpected permissions, `nsscash` does not create new files. The
user must create them first and `nsscash` will then re-use the permissions
- and owner/group when updating the file (see examples below).
+ (without the write bits to discourage manual modifications) and owner/group
+ when updating the file (see examples below).
- To prevent misconfigurations, empty files (no users/groups) are not
permitted and will not be written to disk. This is designed to prevent the
accidental loss of all users/groups on a system.
- github.com/BurntSushi/toml
- C compiler, for `libnss_cash.so.2`
-Tested on Debian Stretch and Buster, but should work on any GNU/Linux system.
-With adapations to the NSS module it should work on any UNIX-like system which
+Tested on Debian Buster, but should work on any GNU/Linux system. With
+adaptations to the NSS module it should work on any UNIX-like system which
uses NSS.
The following global keys are available:
-- `statepath`: Path to a JSON file which stores the last modification time of
- each file; automatically updated by `nsscash`. Used to fetch data only when
- something has changed to reduce the required traffic.
+- `statepath`: Path to a JSON file which stores the last modification time and
+ hash of each file; automatically updated by `nsscash`. Used to fetch data
+ only when something has changed to reduce the required traffic, via
+ `If-Modified-Since`. When the hash of a file has changed the download is
+ forced.
Each `file` block describes a single file to download/write. The following
keys are available:
- `url`: URL to fetch the file from; HTTP and HTTPS are supported
+- `ca`: Path to a custom CA in PEM format. Restricts HTTPS requests to accept
+ only certificates signed by this CA. Defaults to the system's certificate
+ store when omitted.
+
+- `username`/`password`: Username and password sent via HTTP Basic-Auth to the
+ webserver. The configuration file must not be readable by other users when
+ this is used.
+
- `path`: Path to store the retrieved file
ruderich.org/simon / nsscash / nsscash.git / blobdiff