From b861d7bfb93b01e36807b429fd9c85fbabe489a3 Mon Sep 17 00:00:00 2001 From: chn Date: Fri, 15 Dec 2023 20:20:30 +0800 Subject: [PATCH] fix tmpfiles permission --- modules/services/fz-new-order/default.nix | 5 ++++- modules/services/groupshare.nix | 2 +- modules/services/httpapi.nix | 2 +- modules/services/meilisearch.nix | 4 ++-- modules/services/mirism.nix | 4 ++-- modules/services/misskey.nix | 5 ++--- modules/services/nginx/applications/blog.nix | 2 +- modules/services/nginx/applications/catalog.nix | 2 +- modules/services/nginx/applications/kkmeeting.nix | 2 +- modules/services/nginx/applications/webdav.nix | 2 +- 10 files changed, 16 insertions(+), 14 deletions(-) diff --git a/modules/services/fz-new-order/default.nix b/modules/services/fz-new-order/default.nix index 284cd6b0..7c405701 100644 --- a/modules/services/fz-new-order/default.nix +++ b/modules/services/fz-new-order/default.nix @@ -77,7 +77,10 @@ inputs: }; }; tmpfiles.rules = - let perm = "/var/lib/fz-new-order 0700 fz-new-order fz-new-order"; in [ "d ${perm}" "Z ${perm}" ]; + [ + "d /var/lib/fz-new-order 0700 fz-new-order fz-new-order" + "Z /var/lib/fz-new-order - fz-new-order fz-new-order" + ]; }; sops = let userNum = 6; configNum = 2; in { diff --git a/modules/services/groupshare.nix b/modules/services/groupshare.nix index 20d89e3b..1aa1ab4b 100644 --- a/modules/services/groupshare.nix +++ b/modules/services/groupshare.nix @@ -20,7 +20,7 @@ inputs: (user: [ "d /var/lib/groupshare/${user} 2750 ${user} groupshare" - "Z /var/lib/groupshare/${user} 2750 ${user} groupshare" + "Z /var/lib/groupshare/${user} - ${user} groupshare" ("A /var/lib/groupshare/${user} - - - - " # d 指 default, 即目录下新创建的文件和目录的权限 # 大写 X 指仅给目录执行权限 diff --git a/modules/services/httpapi.nix b/modules/services/httpapi.nix index 6de740ec..e800a572 100644 --- a/modules/services/httpapi.nix +++ b/modules/services/httpapi.nix @@ -40,6 +40,6 @@ inputs: }; secrets."httpapi/token" = {}; }; - systemd.tmpfiles.rules = let perm = "/srv/api 0700 nginx nginx"; in [ "d ${perm}" "Z ${perm}" ]; + systemd.tmpfiles.rules = [ "d /srv/api 0700 nginx nginx" "Z /srv/api - nginx nginx" ]; }; } diff --git a/modules/services/meilisearch.nix b/modules/services/meilisearch.nix index c0ab9027..b78441bd 100644 --- a/modules/services/meilisearch.nix +++ b/modules/services/meilisearch.nix @@ -78,9 +78,9 @@ inputs: let user = instance.value.user; group = inputs.config.users.users.${instance.value.user}.group; - perm = "/var/lib/meilisearch/${instance.name} 0700 ${user} ${group}"; + dir = "/var/lib/meilisearch/${instance.name}"; in - [ "d ${perm}" "Z ${perm}" ]) + [ "d ${dir} 0700 ${user} ${group}" "Z ${dir} - ${user} ${group}" ]) (attrsToList meilisearch.instances)); }; sops = diff --git a/modules/services/mirism.nix b/modules/services/mirism.nix index 56a0084c..dc0f314b 100644 --- a/modules/services/mirism.nix +++ b/modules/services/mirism.nix @@ -37,8 +37,8 @@ inputs: }) [ "ng01" "beta" ]); tmpfiles.rules = concatLists (map - (perm: [ "d ${perm}" "Z ${perm}" ]) - (map (dir: "/srv/${dir}mirism 0700 nginx nginx") [ "" "entry." ])); + (dir: [ "d /srv/${dir}mirism 0700 nginx nginx" "Z /srv/${dir}mirism - nginx nginx" ]) + [ "" "entry." ]); }; nixos.services = { diff --git a/modules/services/misskey.nix b/modules/services/misskey.nix index 7a0aea6f..84d9efd6 100644 --- a/modules/services/misskey.nix +++ b/modules/services/misskey.nix @@ -48,9 +48,8 @@ inputs: Restart = "always"; }; }; - tmpfiles.rules = - let perm = "/var/lib/misskey/${instance.name}/files 0700 misskey-${instance.name} misskey-${instance.name}"; - in [ "d ${perm}" "Z ${perm}" ]; + tmpfiles.rules = let dir = "/var/lib/misskey/${instance.name}/files"; owner = "misskey-${instance.name}"; in + [ "d ${dir} 0700 ${owner} ${owner}" "Z ${dir} - ${owner} ${owner}" ]; }) (attrsToList misskey.instances)); fileSystems = mkMerge (map diff --git a/modules/services/nginx/applications/blog.nix b/modules/services/nginx/applications/blog.nix index 658ad384..ef8d35af 100644 --- a/modules/services/nginx/applications/blog.nix +++ b/modules/services/nginx/applications/blog.nix @@ -12,6 +12,6 @@ inputs: { nixos.services.nginx.https."blog.chn.moe".location."/".static = { root = "/srv/blog"; index = [ "index.html" ]; }; - systemd.tmpfiles.rules = let perm = "/srv/blog 0700 nginx nginx"; in [ "d ${perm}" "Z ${perm}" ]; + systemd.tmpfiles.rules = [ "d /srv/blog 0700 nginx nginx" "Z /srv/blog - nginx nginx" ]; }; } diff --git a/modules/services/nginx/applications/catalog.nix b/modules/services/nginx/applications/catalog.nix index 6532dbbb..fbb03a3d 100644 --- a/modules/services/nginx/applications/catalog.nix +++ b/modules/services/nginx/applications/catalog.nix @@ -12,6 +12,6 @@ inputs: { nixos.services.nginx.https."catalog.chn.moe".location."/".static = { root = "/srv/catalog"; index = [ "index.html" ]; }; - systemd.tmpfiles.rules = let perm = "/srv/catalog 0700 nginx nginx"; in [ "d ${perm}" "Z ${perm}" ]; + systemd.tmpfiles.rules = [ "d /srv/catalog 0700 nginx nginx" "Z /srv/catalog - nginx nginx" ]; }; } diff --git a/modules/services/nginx/applications/kkmeeting.nix b/modules/services/nginx/applications/kkmeeting.nix index 365e5d08..8c16c52d 100644 --- a/modules/services/nginx/applications/kkmeeting.nix +++ b/modules/services/nginx/applications/kkmeeting.nix @@ -13,6 +13,6 @@ inputs: { nixos.services.nginx.https.${kkmeeting.hostname}.location."/".static = { root = "/srv/kkmeeting"; index = "auto"; charset = "utf-8"; }; - systemd.tmpfiles.rules = let perm = "/srv/kkmeeting 0700 nginx nginx"; in [ "d ${perm}" "Z ${perm}" ]; + systemd.tmpfiles.rules = [ "d /srv/kkmeeting 0700 nginx nginx" "Z /srv/kkmeeting - nginx nginx" ]; }; } diff --git a/modules/services/nginx/applications/webdav.nix b/modules/services/nginx/applications/webdav.nix index 293c175c..021381d8 100644 --- a/modules/services/nginx/applications/webdav.nix +++ b/modules/services/nginx/applications/webdav.nix @@ -28,7 +28,7 @@ inputs: systemd = mkMerge (map (site: { - tmpfiles.rules = let perm = "${site.path} 0700 nginx nginx"; in [ "d ${perm}" "Z ${perm}" ]; + tmpfiles.rules = [ "d ${site.path} 0700 nginx nginx" "Z ${site.path} - nginx nginx" ]; services.nginx.serviceConfig.ReadWritePaths = [ site.path ]; }) (attrValues instances));