nixos/matrix-synapse: allow synapse to write to directories of unix socket paths

this patch takes the path of all unix socket listeners and appends their respective parent directories to the ReadWritePaths allow list for the matrix-synapse systemd service. previously configuring a unix socket in a directory not writable by synapse would fail.
author: networkException <git@nwex.de> 2024-03-01 02:34:06 +0100
committer: networkException <git@nwex.de> 2024-03-01 02:36:29 +0100
commit: 10fc05bfc1bb3713f37b730987d0a4c539b166c7 (patch)
tree: 5d4df087daf9e9ab00d0fd79968e6db30a528939 /nixos/modules/services/matrix
parent: 2f2208aca6f74f3a8894bbb0f080d9b221768ac3 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/nixos/modules/services/matrix/synapse.nix b/nixos/modules/services/matrix/synapse.nix
index e3f9c7742cc7d..7291c0fcbcdda 100644
--- a/nixos/modules/services/matrix/synapse.nix
+++ b/nixos/modules/services/matrix/synapse.nix
@@ -1232,7 +1232,8 @@ in {
             ProtectKernelTunables = true;
             ProtectProc = "invisible";
             ProtectSystem = "strict";
-            ReadWritePaths = [ cfg.dataDir cfg.settings.media_store_path ];
+            ReadWritePaths = [ cfg.dataDir cfg.settings.media_store_path ] ++
+              (map (listener: dirOf listener.path) (filter (listener: listener.path != null) cfg.settings.listeners));
             RemoveIPC = true;
             RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
             RestrictNamespaces = true;
author	networkException <git@nwex.de>	2024-03-01 02:34:06 +0100
committer	networkException <git@nwex.de>	2024-03-01 02:36:29 +0100
commit	10fc05bfc1bb3713f37b730987d0a4c539b166c7 (patch)
tree	5d4df087daf9e9ab00d0fd79968e6db30a528939 /nixos/modules/services/matrix
parent	2f2208aca6f74f3a8894bbb0f080d9b221768ac3 (diff)