diff options
| author | Izorkin <izorkin@elven.pw> | 2020-07-30 23:44:43 +0300 |
|---|---|---|
| committer | Izorkin <izorkin@elven.pw> | 2020-08-05 11:19:32 +0300 |
| commit | f77e28d83df6ac53ac44156e06203d152ec5f667 (patch) | |
| tree | b014f3f824e528e4d292b9c0528e3ed0511fc6a5 /nixos/modules/services/misc/gitea.nix | |
| parent | 8e2b14aceb1d40c7e8b84c03a7c78955359872bb (diff) | |
| download | nixpkgs-f77e28d83df6ac53ac44156e06203d152ec5f667.tar nixpkgs-f77e28d83df6ac53ac44156e06203d152ec5f667.tar.gz nixpkgs-f77e28d83df6ac53ac44156e06203d152ec5f667.tar.bz2 nixpkgs-f77e28d83df6ac53ac44156e06203d152ec5f667.tar.lz nixpkgs-f77e28d83df6ac53ac44156e06203d152ec5f667.tar.xz nixpkgs-f77e28d83df6ac53ac44156e06203d152ec5f667.tar.zst nixpkgs-f77e28d83df6ac53ac44156e06203d152ec5f667.zip | |
nixos/gitea: enable data access only for 'gitea' group
Diffstat (limited to 'nixos/modules/services/misc/gitea.nix')
| -rw-r--r-- | nixos/modules/services/misc/gitea.nix | 23 |
1 files changed, 16 insertions, 7 deletions
diff --git a/nixos/modules/services/misc/gitea.nix b/nixos/modules/services/misc/gitea.nix index f8bcedc94fe..15aeb191f57 100644 --- a/nixos/modules/services/misc/gitea.nix +++ b/nixos/modules/services/misc/gitea.nix @@ -357,12 +357,20 @@ in }; systemd.tmpfiles.rules = [ - "d '${cfg.stateDir}' - ${cfg.user} gitea - -" - "d '${cfg.stateDir}/conf' - ${cfg.user} gitea - -" - "d '${cfg.stateDir}/custom' - ${cfg.user} gitea - -" - "d '${cfg.stateDir}/custom/conf' - ${cfg.user} gitea - -" - "d '${cfg.stateDir}/log' - ${cfg.user} gitea - -" - "d '${cfg.repositoryRoot}' - ${cfg.user} gitea - -" + "d '${cfg.repositoryRoot}' 0750 ${cfg.user} gitea - -" + "z '${cfg.repositoryRoot}' 0750 ${cfg.user} gitea - -" + "Z '${cfg.repositoryRoot}' - ${cfg.user} gitea - -" + "d '${cfg.stateDir}' 0750 ${cfg.user} gitea - -" + "d '${cfg.stateDir}/conf' 0750 ${cfg.user} gitea - -" + "d '${cfg.stateDir}/custom' 0750 ${cfg.user} gitea - -" + "d '${cfg.stateDir}/custom/conf' 0750 ${cfg.user} gitea - -" + "d '${cfg.stateDir}/log' 0750 ${cfg.user} gitea - -" + "z '${cfg.stateDir}' 0750 ${cfg.user} gitea - -" + "z '${cfg.stateDir}/.ssh' 0700 ${cfg.user} gitea - -" + "z '${cfg.stateDir}/conf' 0750 ${cfg.user} gitea - -" + "z '${cfg.stateDir}/custom' 0750 ${cfg.user} gitea - -" + "z '${cfg.stateDir}/custom/conf' 0750 ${cfg.user} gitea - -" + "z '${cfg.stateDir}/log' 0750 ${cfg.user} gitea - -" "Z '${cfg.stateDir}' - ${cfg.user} gitea - -" # If we have a folder or symlink with gitea locales, remove it @@ -440,7 +448,8 @@ in ProtectKernelTunables = true; ProtectKernelModules = true; ProtectControlGroups = true; - ReadWritePaths = cfg.stateDir; + ReadWritePaths = [ cfg.repositoryRoot cfg.stateDir ]; + UMask = "0027"; # Caps CapabilityBoundingSet = ""; NoNewPrivileges = true; |