tyo0/forgejo: fine grain unix socket permission

2024-09-07 15:24:37 +08:00 · 2024-09-07 15:24:37 +08:00 · 2ef8aaf319
commit 2ef8aaf319
parent 48a3c2cebe
4 changed files with 9 additions and 12 deletions
--- a/hosts/pek0/default.nix
+++ b/hosts/pek0/default.nix
@ -84,12 +84,10 @@
    trusted_proxies_strict = 1;
  };

-  systemd.services.caddy.serviceConfig = {
-    SupplementaryGroups = [
-      "mastodon"
-      "matrix-synapse"
-    ];
-  };
+  systemd.services."caddy".serviceConfig.SupplementaryGroups = [
+    "mastodon"
+    "matrix-synapse"
+  ];

  services.postgresql = {
    enable = true;
--- a/hosts/pek0/services/matrix.nix
+++ b/hosts/pek0/services/matrix.nix
@ -23,12 +23,6 @@
        }
      ];

-      experimental_features = {
-        # MSC3575 (Sliding Sync API endpoints)
-        # TODO: drop matrix-sliding-sync proxy
-        msc3575_enabled = true;
-      };
-
      # https://element-hq.github.io/synapse/latest/openid.html#keycloak
      oidc_providers = lib.singleton {
        idp_id = "keycloak";
--- a/hosts/tyo0/default.nix
+++ b/hosts/tyo0/default.nix
@ -64,6 +64,10 @@
    listen = [ ":443" ];
  };

+  systemd.services."caddy".serviceConfig.SupplementaryGroups = [
+    "forgejo"
+  ];
+
  services.caddy.settings.apps.http.servers.srv0.routes = [
    {
      match = lib.singleton {
--- a/hosts/tyo0/services/forgejo.nix
+++ b/hosts/tyo0/services/forgejo.nix
@ -14,6 +14,7 @@
        PROTOCOL = "http+unix";
        ROOT_URL = "https://git.ny4.dev/";
        SSH_DOMAIN = "tyo0.ny4.dev";
+        UNIX_SOCKET_PERMISSION = "660";
      };

      service = {