diff options
author | networkException <git@nwex.de> | 2024-03-01 02:34:06 +0100 |
---|---|---|
committer | networkException <git@nwex.de> | 2024-03-01 02:36:29 +0100 |
commit | 10fc05bfc1bb3713f37b730987d0a4c539b166c7 (patch) | |
tree | 5d4df087daf9e9ab00d0fd79968e6db30a528939 /nixos/modules/services/matrix | |
parent | 2f2208aca6f74f3a8894bbb0f080d9b221768ac3 (diff) | |
download | nixlib-10fc05bfc1bb3713f37b730987d0a4c539b166c7.tar nixlib-10fc05bfc1bb3713f37b730987d0a4c539b166c7.tar.gz nixlib-10fc05bfc1bb3713f37b730987d0a4c539b166c7.tar.bz2 nixlib-10fc05bfc1bb3713f37b730987d0a4c539b166c7.tar.lz nixlib-10fc05bfc1bb3713f37b730987d0a4c539b166c7.tar.xz nixlib-10fc05bfc1bb3713f37b730987d0a4c539b166c7.tar.zst nixlib-10fc05bfc1bb3713f37b730987d0a4c539b166c7.zip |
nixos/matrix-synapse: allow synapse to write to directories of unix socket paths
this patch takes the path of all unix socket listeners and appends their respective parent directories to the ReadWritePaths allow list for the matrix-synapse systemd service. previously configuring a unix socket in a directory not writable by synapse would fail.
Diffstat (limited to 'nixos/modules/services/matrix')
-rw-r--r-- | nixos/modules/services/matrix/synapse.nix | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/nixos/modules/services/matrix/synapse.nix b/nixos/modules/services/matrix/synapse.nix index e3f9c7742cc7..7291c0fcbcdd 100644 --- a/nixos/modules/services/matrix/synapse.nix +++ b/nixos/modules/services/matrix/synapse.nix @@ -1232,7 +1232,8 @@ in { ProtectKernelTunables = true; ProtectProc = "invisible"; ProtectSystem = "strict"; - ReadWritePaths = [ cfg.dataDir cfg.settings.media_store_path ]; + ReadWritePaths = [ cfg.dataDir cfg.settings.media_store_path ] ++ + (map (listener: dirOf listener.path) (filter (listener: listener.path != null) cfg.settings.listeners)); RemoveIPC = true; RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ]; RestrictNamespaces = true; |