From 1c9978010c2616ec664d9febc14beb1625f5f903 Mon Sep 17 00:00:00 2001 From: V Date: Tue, 17 Aug 2021 03:14:25 +0200 Subject: fleet/modules/public-inbox: fix permissions issue It turns out the strange behaviour we were observing was due to createHome applying an overly-restrictive mode to the public-inbox top-level directory. This prevented public-inbox-httpd from accessing any of the inboxes, despite it having the correct group assigned. This fixes: - Inbox descriptions showing up as "($INBOX_DIR/description missing)" - Inbox pages only containing the text "No messages, yet" - Mysterious "fatal: not a git repository: '/path/to/inbox'" errors - Probably even more things that I simply didn't notice Change-Id: Ia5a3d57546efd2d0375528fa10e4e979d155b045 --- fleet/modules/public-inbox.nix | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) (limited to 'fleet') diff --git a/fleet/modules/public-inbox.nix b/fleet/modules/public-inbox.nix index a8aa06b..5c69fba 100644 --- a/fleet/modules/public-inbox.nix +++ b/fleet/modules/public-inbox.nix @@ -11,6 +11,8 @@ with lib; let cfg = config.services.public-inbox; + root = "/var/lib/public-inbox"; + environment.PI_CONFIG = "${pkgs.writeText "public-inbox-config" (generators.toGitINI public-inbox-config)}"; # TODO(V): Port this to a Nix type @@ -23,7 +25,7 @@ let publicinbox = mapAttrs (inbox: config: { address = [ "${inbox}@${config.domain}" ]; url = "https://${config.domain}/${inbox}"; # TODO(V): Allow using a different location than this - inboxdir = "/var/lib/public-inbox/${inbox}.git"; + inboxdir = "${root}/${inbox}"; inherit (config) watch; }) cfg.inboxes; } cfg.settings; @@ -70,12 +72,15 @@ in { isSystemUser = true; group = "public-inbox"; - home = "/var/lib/public-inbox"; - createHome = true; + home = root; }; users.groups.public-inbox = {}; + systemd.tmpfiles.rules = [ + "d ${root} 0750 public-inbox public-inbox" + ]; + systemd.services.public-inbox-init = { description = "public-inbox mailing-list archive (initialization)"; -- cgit 1.4.1