pyrox.dev / nixpkgs
lol
fork atom

Merge pull request #123941 from mweinelt/matrix-synapse

nixos/matrix-synapse: protect created files

Maximilian Bosch 278bcdce bec3a445

options
unified split
Changed files
+11 -6
nixos
modules
services
misc
matrix-synapse.nix
+11 -6
nixos/modules/services/misc/matrix-synapse.nix 
···

       
699

       
699

       
 

       
    ];


     

       
700

       
700

       
 

       



     

       
701

       
701

       
 

       
    users.users.matrix-synapse = {


     

       
702

       

       
-

       
        group = "matrix-synapse";


     

       
703

       

       
-

       
        home = cfg.dataDir;


     

       
704

       

       
-

       
        createHome = true;


     

       
705

       

       
-

       
        shell = "${pkgs.bash}/bin/bash";


     

       
706

       

       
-

       
        uid = config.ids.uids.matrix-synapse;


     

       
707

       

       
-

       
      };


     

       

       
702

       
+

       
      group = "matrix-synapse";


     

       

       
703

       
+

       
      home = cfg.dataDir;


     

       

       
704

       
+

       
      createHome = true;


     

       

       
705

       
+

       
      shell = "${pkgs.bash}/bin/bash";


     

       

       
706

       
+

       
      uid = config.ids.uids.matrix-synapse;


     

       

       
707

       
+

       
    };


     

       
708

       
708

       
 

       



     

       
709

       
709

       
 

       
    users.groups.matrix-synapse = {


     

       
710

       
710

       
 

       
      gid = config.ids.gids.matrix-synapse;


     
···

       
726

       
726

       
 

       
        User = "matrix-synapse";


     

       
727

       
727

       
 

       
        Group = "matrix-synapse";


     

       
728

       
728

       
 

       
        WorkingDirectory = cfg.dataDir;


     

       

       
729

       
+

       
        ExecStartPre = [ ("+" + (pkgs.writeShellScript "matrix-synapse-fix-permissions" ''


     

       

       
730

       
+

       
          chown matrix-synapse:matrix-synapse ${cfg.dataDir}/homeserver.signing.key


     

       

       
731

       
+

       
          chmod 0600 ${cfg.dataDir}/homeserver.signing.key


     

       

       
732

       
+

       
        '')) ];


     

       
729

       
733

       
 

       
        ExecStart = ''


     

       
730

       
734

       
 

       
          ${cfg.package}/bin/homeserver \


     

       
731

       
735

       
 

       
            ${ concatMapStringsSep "\n  " (x: "--config-path ${x} \\") ([ configFile ] ++ cfg.extraConfigFiles) }


     
···

       
733

       
737

       
 

       
        '';


     

       
734

       
738

       
 

       
        ExecReload = "${pkgs.util-linux}/bin/kill -HUP $MAINPID";


     

       
735

       
739

       
 

       
        Restart = "on-failure";


     

       

       
740

       
+

       
        UMask = "0077";


     

       
736

       
741

       
 

       
      };


     

       
737

       
742

       
 

       
    };


     

       
738

       
743

       
 

       
  };