summary refs log tree commit diff
diff options
context:
space:
mode:
authorV <v@unfathomable.blue>2021-08-17 03:14:25 +0200
committerV <v@unfathomable.blue>2021-08-17 05:01:25 +0200
commit1c9978010c2616ec664d9febc14beb1625f5f903 (patch)
tree1145249aa2d6e681913223a8953c935d1956a885
parentec0965e2672899d25a5a3a8c072de3ea734076a2 (diff)
downloadunf-legacy-1c9978010c2616ec664d9febc14beb1625f5f903.tar.zst
fleet/modules/public-inbox: fix permissions issue
It turns out the strange behaviour we were observing was due to
createHome applying an overly-restrictive mode to the public-inbox
top-level directory. This prevented public-inbox-httpd from accessing
any of the inboxes, despite it having the correct group assigned.

This fixes:
- Inbox descriptions showing up as "($INBOX_DIR/description missing)"
- Inbox pages only containing the text "No messages, yet"
- Mysterious "fatal: not a git repository: '/path/to/inbox'" errors
- Probably even more things that I simply didn't notice

Change-Id: Ia5a3d57546efd2d0375528fa10e4e979d155b045
-rw-r--r--fleet/modules/public-inbox.nix11
1 files changed, 8 insertions, 3 deletions
diff --git a/fleet/modules/public-inbox.nix b/fleet/modules/public-inbox.nix
index a8aa06b..5c69fba 100644
--- a/fleet/modules/public-inbox.nix
+++ b/fleet/modules/public-inbox.nix
@@ -11,6 +11,8 @@ with lib;
 let
   cfg = config.services.public-inbox;
 
+  root = "/var/lib/public-inbox";
+
   environment.PI_CONFIG = "${pkgs.writeText "public-inbox-config" (generators.toGitINI public-inbox-config)}";
 
   # TODO(V): Port this to a Nix type
@@ -23,7 +25,7 @@ let
     publicinbox = mapAttrs (inbox: config: {
       address = [ "${inbox}@${config.domain}" ];
       url = "https://${config.domain}/${inbox}";  # TODO(V): Allow using a different location than this
-      inboxdir = "/var/lib/public-inbox/${inbox}.git";
+      inboxdir = "${root}/${inbox}";
       inherit (config) watch;
     }) cfg.inboxes;
   } cfg.settings;
@@ -70,12 +72,15 @@ in {
       isSystemUser = true;
       group = "public-inbox";
 
-      home = "/var/lib/public-inbox";
-      createHome = true;
+      home = root;
     };
 
     users.groups.public-inbox = {};
 
+    systemd.tmpfiles.rules = [
+      "d ${root} 0750 public-inbox public-inbox"
+    ];
+
     systemd.services.public-inbox-init = {
       description = "public-inbox mailing-list archive (initialization)";