fix tmpfiles permission

2024-10-23 04:58:44 +08:00 · 2023-12-15 20:20:30 +08:00 · 2023-12-15 20:20:30 +08:00 · b861d7bfb9
commit b861d7bfb9
parent 2d8c36d108
10 changed files with 16 additions and 14 deletions
--- a/modules/services/fz-new-order/default.nix
+++ b/modules/services/fz-new-order/default.nix
@ -77,7 +77,10 @@ inputs:
          };
        };
        tmpfiles.rules =
-          let perm = "/var/lib/fz-new-order 0700 fz-new-order fz-new-order"; in [ "d ${perm}" "Z ${perm}" ];
+        [
+          "d /var/lib/fz-new-order 0700 fz-new-order fz-new-order"
+          "Z /var/lib/fz-new-order - fz-new-order fz-new-order"
+        ];
      };
      sops = let userNum = 6; configNum = 2; in
      {
--- a/modules/services/groupshare.nix
+++ b/modules/services/groupshare.nix
@ -20,7 +20,7 @@ inputs:
          (user:
          [
            "d /var/lib/groupshare/${user} 2750 ${user} groupshare"
-            "Z /var/lib/groupshare/${user} 2750 ${user} groupshare"
+            "Z /var/lib/groupshare/${user} - ${user} groupshare"
            ("A /var/lib/groupshare/${user} - - - - "
              # d 指 default, 即目录下新创建的文件和目录的权限
              # 大写 X 指仅给目录执行权限
--- a/modules/services/httpapi.nix
+++ b/modules/services/httpapi.nix
@ -40,6 +40,6 @@ inputs:
        };
        secrets."httpapi/token" = {};
      };
-      systemd.tmpfiles.rules = let perm = "/srv/api 0700 nginx nginx"; in [ "d ${perm}" "Z ${perm}" ];
+      systemd.tmpfiles.rules = [ "d /srv/api 0700 nginx nginx" "Z /srv/api - nginx nginx" ];
    };
 }
--- a/modules/services/meilisearch.nix
+++ b/modules/services/meilisearch.nix
@ -78,9 +78,9 @@ inputs:
            let
              user = instance.value.user;
              group = inputs.config.users.users.${instance.value.user}.group;
-              perm = "/var/lib/meilisearch/${instance.name} 0700 ${user} ${group}";
+              dir = "/var/lib/meilisearch/${instance.name}";
            in
-              [ "d ${perm}" "Z ${perm}" ])
+              [ "d ${dir} 0700 ${user} ${group}" "Z ${dir} - ${user} ${group}" ])
          (attrsToList meilisearch.instances));
      };
      sops =
--- a/modules/services/mirism.nix
+++ b/modules/services/mirism.nix
@ -37,8 +37,8 @@ inputs:
          })
          [ "ng01" "beta" ]);
        tmpfiles.rules = concatLists (map
-          (perm: [ "d ${perm}" "Z ${perm}" ])
-          (map (dir: "/srv/${dir}mirism 0700 nginx nginx") [ "" "entry." ]));
+          (dir: [ "d /srv/${dir}mirism 0700 nginx nginx" "Z /srv/${dir}mirism - nginx nginx" ])
+          [ "" "entry." ]);
      };
      nixos.services =
      {
--- a/modules/services/misskey.nix
+++ b/modules/services/misskey.nix
@ -48,9 +48,8 @@ inputs:
              Restart = "always";
            };
          };
-          tmpfiles.rules =
-            let perm = "/var/lib/misskey/${instance.name}/files 0700 misskey-${instance.name} misskey-${instance.name}";
-            in [ "d ${perm}" "Z ${perm}" ];
+          tmpfiles.rules = let dir = "/var/lib/misskey/${instance.name}/files"; owner = "misskey-${instance.name}"; in
+            [ "d ${dir} 0700 ${owner} ${owner}" "Z ${dir} - ${owner} ${owner}" ];
        })
        (attrsToList misskey.instances));
      fileSystems = mkMerge (map
--- a/modules/services/nginx/applications/blog.nix
+++ b/modules/services/nginx/applications/blog.nix
@ -12,6 +12,6 @@ inputs:
    {
      nixos.services.nginx.https."blog.chn.moe".location."/".static =
        { root = "/srv/blog"; index = [ "index.html" ]; };
-      systemd.tmpfiles.rules = let perm = "/srv/blog 0700 nginx nginx"; in [ "d ${perm}" "Z ${perm}" ];
+      systemd.tmpfiles.rules = [ "d /srv/blog 0700 nginx nginx" "Z /srv/blog - nginx nginx" ];
    };
 }
--- a/modules/services/nginx/applications/catalog.nix
+++ b/modules/services/nginx/applications/catalog.nix
@ -12,6 +12,6 @@ inputs:
    {
      nixos.services.nginx.https."catalog.chn.moe".location."/".static =
        { root = "/srv/catalog"; index = [ "index.html" ]; };
-      systemd.tmpfiles.rules = let perm = "/srv/catalog 0700 nginx nginx"; in [ "d ${perm}" "Z ${perm}" ];
+      systemd.tmpfiles.rules = [ "d /srv/catalog 0700 nginx nginx" "Z /srv/catalog - nginx nginx" ];
    };
 }
--- a/modules/services/nginx/applications/kkmeeting.nix
+++ b/modules/services/nginx/applications/kkmeeting.nix
@ -13,6 +13,6 @@ inputs:
    {
      nixos.services.nginx.https.${kkmeeting.hostname}.location."/".static =
        { root = "/srv/kkmeeting"; index = "auto"; charset = "utf-8"; };
-      systemd.tmpfiles.rules = let perm = "/srv/kkmeeting 0700 nginx nginx"; in [ "d ${perm}" "Z ${perm}" ];
+      systemd.tmpfiles.rules = [ "d /srv/kkmeeting 0700 nginx nginx" "Z /srv/kkmeeting - nginx nginx" ];
    };
 }
--- a/modules/services/nginx/applications/webdav.nix
+++ b/modules/services/nginx/applications/webdav.nix
@ -28,7 +28,7 @@ inputs:
      systemd = mkMerge (map
        (site:
        {
-          tmpfiles.rules = let perm = "${site.path} 0700 nginx nginx"; in [ "d ${perm}" "Z ${perm}" ];
+          tmpfiles.rules = [ "d ${site.path} 0700 nginx nginx" "Z ${site.path} - nginx nginx" ];
          services.nginx.serviceConfig.ReadWritePaths = [ site.path ];
        })
        (attrValues instances));