Merge pull request #236134 from Tom-Hubrecht/pixelfed

nixos/pixelfed: Fix missing permissions for nginx serving files

1 files changed, 6 insertions, 2 deletions

diff --git a/nixos/modules/services/web-apps/pixelfed.nix b/nixos/modules/services/web-apps/pixelfed.nix
index 430a368650ec..b0c92aac979f 100644
--- a/nixos/modules/services/web-apps/pixelfed.nix
+++ b/nixos/modules/services/web-apps/pixelfed.nix
@@ -356,7 +356,8 @@ in {
         ExecStart = "${pixelfed-manage}/bin/pixelfed-manage schedule:run";
         User = user;
         Group = group;
-        StateDirectory = cfg.dataDir;
+        StateDirectory =
+          lib.mkIf (cfg.dataDir == "/var/lib/pixelfed") "pixelfed";
       };
     };
 
@@ -391,6 +392,9 @@ in {
         rsync -av --no-perms ${pixelfed}/storage-static/ ${cfg.dataDir}/storage
         chmod -R +w ${cfg.dataDir}/storage
 
+        chmod g+x ${cfg.dataDir}/storage ${cfg.dataDir}/storage/app
+        chmod -R g+rX ${cfg.dataDir}/storage/app/public
+
         # Link the app.php in the runtime folder.
         # We cannot link the cache folder only because bootstrap folder needs to be writeable.
         ln -sf ${pixelfed}/bootstrap-static/app.php ${cfg.runtimeDir}/app.php
@@ -441,7 +445,7 @@ in {
     ];
 
     # Enable NGINX to access our phpfpm-socket.
-    users.users."${config.services.nginx.group}".extraGroups = [ cfg.group ];
+    users.users."${config.services.nginx.user}".extraGroups = [ cfg.group ];
     services.nginx = mkIf (cfg.nginx != null) {
       enable = true;
       virtualHosts."${cfg.domain}" = mkMerge [