As discussed on the Matrix channel, I would like to suggest two compatibility tweaks.
First, the default configuration file location should be changed from /etc/yggdrasil.conf to /etc/yggdrasil/yggdrasil.conf. This has a security benefit in that /etc/yggdrasil can have restricted permissions that can prevent leakage of private keys from editor backup files. I have already patched this change into the Debian package for this reason.
Secondly, the system should use the compiled-in default path for AdminListen if one isn't given in the config file, and the generated config file should either omit it or have it commented out. This will facilitate cross-system portability of config files.
Issues such as #965 are likely caused by the second issue.
On Debian, I put the files in /var/run/yggdrasil so that I can run the daemon in full lockdown mode (not as root, non-writable filesystem except that one directory). This is not necessarily the right answer for non-systemd systems, for which making the directory may be more complicated. So I'm not suggesting changing the default path, just making it implicit.
Hello,
As discussed on the Matrix channel, I would like to suggest two compatibility tweaks.
First, the default configuration file location should be changed from /etc/yggdrasil.conf to /etc/yggdrasil/yggdrasil.conf. This has a security benefit in that /etc/yggdrasil can have restricted permissions that can prevent leakage of private keys from editor backup files. I have already patched this change into the Debian package for this reason.
Secondly, the system should use the compiled-in default path for AdminListen if one isn't given in the config file, and the generated config file should either omit it or have it commented out. This will facilitate cross-system portability of config files.
Issues such as #965 are likely caused by the second issue.
On Debian, I put the files in /var/run/yggdrasil so that I can run the daemon in full lockdown mode (not as root, non-writable filesystem except that one directory). This is not necessarily the right answer for non-systemd systems, for which making the directory may be more complicated. So I'm not suggesting changing the default path, just making it implicit.