tyo0/forgejo: fine grain unix socket permission

This commit is contained in:
Guanran Wang 2024-09-07 15:24:37 +08:00
parent 48a3c2cebe
commit 2ef8aaf319
Signed by: nyancat
GPG key ID: 91F97D9ED12639CF
4 changed files with 9 additions and 12 deletions

View file

@ -84,12 +84,10 @@
trusted_proxies_strict = 1; trusted_proxies_strict = 1;
}; };
systemd.services.caddy.serviceConfig = { systemd.services."caddy".serviceConfig.SupplementaryGroups = [
SupplementaryGroups = [ "mastodon"
"mastodon" "matrix-synapse"
"matrix-synapse" ];
];
};
services.postgresql = { services.postgresql = {
enable = true; enable = true;

View file

@ -23,12 +23,6 @@
} }
]; ];
experimental_features = {
# MSC3575 (Sliding Sync API endpoints)
# TODO: drop matrix-sliding-sync proxy
msc3575_enabled = true;
};
# https://element-hq.github.io/synapse/latest/openid.html#keycloak # https://element-hq.github.io/synapse/latest/openid.html#keycloak
oidc_providers = lib.singleton { oidc_providers = lib.singleton {
idp_id = "keycloak"; idp_id = "keycloak";

View file

@ -64,6 +64,10 @@
listen = [ ":443" ]; listen = [ ":443" ];
}; };
systemd.services."caddy".serviceConfig.SupplementaryGroups = [
"forgejo"
];
services.caddy.settings.apps.http.servers.srv0.routes = [ services.caddy.settings.apps.http.servers.srv0.routes = [
{ {
match = lib.singleton { match = lib.singleton {

View file

@ -14,6 +14,7 @@
PROTOCOL = "http+unix"; PROTOCOL = "http+unix";
ROOT_URL = "https://git.ny4.dev/"; ROOT_URL = "https://git.ny4.dev/";
SSH_DOMAIN = "tyo0.ny4.dev"; SSH_DOMAIN = "tyo0.ny4.dev";
UNIX_SOCKET_PERMISSION = "660";
}; };
service = { service = {