diff options
author | networkException <git@nwex.de> | 2024-03-01 02:34:06 +0100 |
---|---|---|
committer | networkException <git@nwex.de> | 2024-03-01 02:36:29 +0100 |
commit | 10fc05bfc1bb3713f37b730987d0a4c539b166c7 (patch) | |
tree | 5d4df087daf9e9ab00d0fd79968e6db30a528939 /nixos | |
parent | 2f2208aca6f74f3a8894bbb0f080d9b221768ac3 (diff) |
nixos/matrix-synapse: allow synapse to write to directories of unix socket paths
this patch takes the path of all unix socket listeners and appends their respective parent directories to the ReadWritePaths allow list for the matrix-synapse systemd service. previously configuring a unix socket in a directory not writable by synapse would fail.
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/matrix/synapse.nix | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/nixos/modules/services/matrix/synapse.nix b/nixos/modules/services/matrix/synapse.nix index e3f9c7742cc7d..7291c0fcbcdda 100644 --- a/nixos/modules/services/matrix/synapse.nix +++ b/nixos/modules/services/matrix/synapse.nix @@ -1232,7 +1232,8 @@ in { ProtectKernelTunables = true; ProtectProc = "invisible"; ProtectSystem = "strict"; - ReadWritePaths = [ cfg.dataDir cfg.settings.media_store_path ]; + ReadWritePaths = [ cfg.dataDir cfg.settings.media_store_path ] ++ + (map (listener: dirOf listener.path) (filter (listener: listener.path != null) cfg.settings.listeners)); RemoveIPC = true; RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ]; RestrictNamespaces = true; |