proper handling of rwebdav socket permissions
This commit is contained in:
parent
d79fbeb419
commit
dc515dd29f
1 changed files with 6 additions and 18 deletions
|
|
@ -189,25 +189,17 @@ in
|
|||
};
|
||||
|
||||
systemd.services = {
|
||||
# TODO: remove when bug fix
|
||||
# serokell/deploy-rs/issues/57
|
||||
# NixOS/nixpkgs/issues/180175
|
||||
# Workaround for upstream bug in NetworkManager-wait-online.service
|
||||
NetworkManager-wait-online.enable = false;
|
||||
rclone-webdav = {
|
||||
description = "RClone WebDAV Server";
|
||||
after = [ "network.target" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
|
||||
serviceConfig = {
|
||||
Type = "exec";
|
||||
User = "user";
|
||||
Group = "users";
|
||||
Group = "nginx";
|
||||
ExecStart = "${rclone-webdav-start}";
|
||||
Restart = "always";
|
||||
RestartSec = "10";
|
||||
|
||||
# Security settings
|
||||
NoNewPrivileges = true;
|
||||
PrivateTmp = true;
|
||||
ProtectSystem = "strict";
|
||||
|
|
@ -216,24 +208,20 @@ in
|
|||
"/data/webdav"
|
||||
"/run"
|
||||
];
|
||||
|
||||
# Create runtime directory for socket
|
||||
RuntimeDirectory = "rclone-webdav";
|
||||
RuntimeDirectoryMode = "0750";
|
||||
UMask = "0002";
|
||||
};
|
||||
|
||||
# Ensure the user exists
|
||||
preStart = ''
|
||||
# Create webdav directory if it doesn't exist
|
||||
mkdir -p /data/webdav
|
||||
chown user:users /data/webdav
|
||||
chmod 755 /data/webdav
|
||||
# Ensure nginx can access the socket directory
|
||||
mkdir -p /run/rclone-webdav
|
||||
chown user:nginx /run/rclone-webdav
|
||||
chmod 750 /run/rclone-webdav
|
||||
'';
|
||||
};
|
||||
# TODO: remove when bug fix
|
||||
# serokell/deploy-rs/issues/57
|
||||
# NixOS/nixpkgs/issues/180175
|
||||
# Workaround for upstream bug in NetworkManager-wait-online.service
|
||||
NetworkManager-wait-online.enable = false;
|
||||
};
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue