Jörg Behrmann

Ah, I had overlooked the reuse of that variable. Moved some things around, might work now.

I tend to forget, that in the standard setup of systemdspawner jupyterhub runs as root, then one can simply do without the `ExecStartPre=` and have the hub do the chown.

> Thanks so much for all of the help. It looks like EnvironmentFile pre v228 is only configurable through the unit file, [if I'm reading that correctly](https://github.com/systemd/systemd/blob/ddb4b0d3eb57292c38a76f9b977f73cea15448fb/NEWS#L5). Funny how I...

I recommend strongly against downgrading to 0.14. The issue is with 1b83c2738f4a3fa34b5242da9cb098a04901e6dc which [fixes GHSA-cg54-gpgr-4rm6](https://github.com/jupyterhub/systemdspawner/blob/master/CHANGELOG.md#v015), which, as can be seen in the log, uses `RuntimeDirectory=`, that was only introduced in...

I run the singleuser servers with ``` PrivateTmp=yes PrivateDevices=yes ProtectSystem=strict ProtectHome=read-only ProtectKernelTunables=yes ProtectControlGroups=yes ``` and explicit `ReadWritePaths=`. It just works.

You can usually get away with just the user's home, if the singleuser server doesn't start a PAM session, then you would probably need `/run/user/%U` as well.

I haven't looked at this yet, but I'm not a fan of adding an option for this myself, looking at the general idea, though wouldn't it be an option to...

Going from your example in the docs `artifact_93e00bec-0948-4119-8877-c10c0850617d.verity` could this maybe be something like `[email protected]`?

Maybe I'm misunderstanding what you're doing, as I said, I haven't yet followed the code, just skimmed quickly, but you know the the UUID you want to write into the...

I've only had a quick look for now, but some thoughts: - Maybe I missed it, but I don't see a reasoning for making the mount executable configurable. Could you...