prep directories for the container

nixos/boxes/vpsfree1/mastodon.nix

@@ -25,6 +25,11 @@ let
       members = [ "${systemUserName}" "nginx" ];
     };
   };
+  secretSettings = {
+    owner = systemUserName;
+    group = systemGroupName;
+  };
+  publicPath = "${path}/public-system/";
   package =
     inputs.nixpkgs-nixos-unstable.legacyPackages."${pkgs.system}".mastodon;
 in {
@@ -38,7 +43,7 @@ in {
         root = "${package}/public/";
 
         locations."/" = { tryFiles = "$uri @proxy"; };
-        locations."/system/".alias = "${path}/public-system/";
+        locations."/system/".alias = "${publicPath}";
 
         locations."@proxy" = {
           proxyPass = "http://127.0.0.1:" + toString webPort;
@@ -55,18 +60,32 @@ in {
   sops.secrets."${mailgunSmtpSecretName}" = {
     sopsFile = ./mailgun.sops.yaml;
     path = mailgunSmtpPasswordPath;
-    owner = systemUserName;
+  } // secretSettings;
-    group = systemGroupName;
-  };
   sops.secrets."${mastodonDbSecretName}" = {
     sopsFile = ./mastodon-db.sops.yaml;
     path = mastodonDbSecretPath;
-    owner = systemUserName;
+  } // secretSettings;
-    group = systemGroupName;
-  };
 
   inherit users;
 
+  systemd.services.mastodon-make-path = {
+    script = ''
+      mkdir -p ${path}
+      chown -R ${systemUserName}:${systemGroupName} ${path}
+      mkdir -p ${publicPath}
+      chmod -R o-rwx ${publicPath}
+      chmod -R g-rwx ${publicPath}
+      chmod -R g+X ${publicPath}
+      chmod -R g+r ${publicPath}
+    '';
+    serviceConfig = {
+      Type = "oneshot";
+      ProtectSystem = "strict";
+      ReadWritePaths = path;
+    };
+    before = [ "container@mastodon.service" ];
+  };
+
   containers.mastodon = {
     autoStart = true;
     forwardPorts = [