prep directories for the container

2022-11-26 21:54:48 +00:00 · 2022-11-26 21:54:48 +00:00 · a4b146c6a3
parent ac3ecc749b
commit a4b146c6a3
1 changed files with 26 additions and 7 deletions
--- a/nixos/boxes/vpsfree1/mastodon.nix
+++ b/nixos/boxes/vpsfree1/mastodon.nix
@ -25,6 +25,11 @@ let
      members = [ "${systemUserName}" "nginx" ];
    };
  };
+  secretSettings = {
+    owner = systemUserName;
+    group = systemGroupName;
+  };
+  publicPath = "${path}/public-system/";
  package =
    inputs.nixpkgs-nixos-unstable.legacyPackages."${pkgs.system}".mastodon;
 in {
@ -38,7 +43,7 @@ in {
        root = "${package}/public/";

        locations."/" = { tryFiles = "$uri @proxy"; };
-        locations."/system/".alias = "${path}/public-system/";
+        locations."/system/".alias = "${publicPath}";

        locations."@proxy" = {
          proxyPass = "http://127.0.0.1:" + toString webPort;
@ -55,18 +60,32 @@ in {
  sops.secrets."${mailgunSmtpSecretName}" = {
    sopsFile = ./mailgun.sops.yaml;
    path = mailgunSmtpPasswordPath;
-    owner = systemUserName;
-    group = systemGroupName;
-  };
+  } // secretSettings;
  sops.secrets."${mastodonDbSecretName}" = {
    sopsFile = ./mastodon-db.sops.yaml;
    path = mastodonDbSecretPath;
-    owner = systemUserName;
-    group = systemGroupName;
-  };
+  } // secretSettings;

  inherit users;

+  systemd.services.mastodon-make-path = {
+    script = ''
+      mkdir -p ${path}
+      chown -R ${systemUserName}:${systemGroupName} ${path}
+      mkdir -p ${publicPath}
+      chmod -R o-rwx ${publicPath}
+      chmod -R g-rwx ${publicPath}
+      chmod -R g+X ${publicPath}
+      chmod -R g+r ${publicPath}
+    '';
+    serviceConfig = {
+      Type = "oneshot";
+      ProtectSystem = "strict";
+      ReadWritePaths = path;
+    };
+    before = [ "container@mastodon.service" ];
+  };
+
  containers.mastodon = {
    autoStart = true;
    forwardPorts = [