commit af4a43e36a697edbd108d3aabaacadfbe631b294 · tjh.dev/nixpkgs

tjh.dev / nixpkgs

Clone of https://github.com/NixOS/nixpkgs.git (to stress-test knotserver)

fork atom

treewide: convert fake octal ints to strings

These were being cast to strings later and then reinterpreted as
octal.

Yorick van Pelt 3 years ago af4a43e3 4fce8949

+16 -16

12 changed files

expand all

unified split

nixos

modules

security

acme

default.nix

services

logging

journalwatch.nix

matrix

appservice-discord.nix

mautrix-telegram.nix

misc

geoipupdate.nix

mx-puppet-discord.nix

rmfakecloud.nix

monitoring

parsedmarc.nix

web-apps

bookstack.nix

discourse.nix

keycloak.nix

snipe-it.nix

+4 -4

nixos/modules/security/acme/default.nix

··· 26 26 Type = "oneshot"; 27 27 User = user; 28 28 Group = mkDefault "acme"; 29 - UMask = 0022; 30 - StateDirectoryMode = 750; 29 + UMask = "0022"; 30 + StateDirectoryMode = "750"; 31 31 ProtectSystem = "strict"; 32 32 ReadWritePaths = [ 33 33 "/var/lib/acme" ··· 85 85 serviceConfig = commonServiceConfig // { 86 86 StateDirectory = "acme/.minica"; 87 87 BindPaths = "/var/lib/acme/.minica:/tmp/ca"; 88 - UMask = 0077; 88 + UMask = "0077"; 89 89 }; 90 90 91 91 # Working directory will be /tmp ··· 243 243 244 244 serviceConfig = commonServiceConfig // { 245 245 Group = data.group; 246 - UMask = 0027; 246 + UMask = "0027"; 247 247 248 248 StateDirectory = "acme/${cert}"; 249 249

+1 -1

nixos/modules/services/logging/journalwatch.nix

··· 239 239 Type = "oneshot"; 240 240 # requires a relative directory name to create beneath /var/lib 241 241 StateDirectory = user; 242 - StateDirectoryMode = 0750; 242 + StateDirectoryMode = "0750"; 243 243 ExecStart = "${pkgs.python3Packages.journalwatch}/bin/journalwatch mail"; 244 244 # lowest CPU and IO priority, but both still in best-effort class to prevent starvation 245 245 Nice=19;

+1 -1

nixos/modules/services/matrix/appservice-discord.nix

··· 137 137 PrivateTmp = true; 138 138 WorkingDirectory = appDir; 139 139 StateDirectory = baseNameOf dataDir; 140 - UMask = 0027; 140 + UMask = "0027"; 141 141 EnvironmentFile = cfg.environmentFile; 142 142 143 143 ExecStart = ''

+1 -1

nixos/modules/services/matrix/mautrix-telegram.nix

··· 162 162 PrivateTmp = true; 163 163 WorkingDirectory = pkgs.mautrix-telegram; # necessary for the database migration scripts to be found 164 164 StateDirectory = baseNameOf dataDir; 165 - UMask = 0027; 165 + UMask = "0027"; 166 166 EnvironmentFile = cfg.environmentFile; 167 167 168 168 ExecStart = ''

+1 -1

nixos/modules/services/misc/geoipupdate.nix

··· 183 183 DynamicUser = true; 184 184 ReadWritePaths = cfg.settings.DatabaseDirectory; 185 185 RuntimeDirectory = "geoipupdate"; 186 - RuntimeDirectoryMode = 0700; 186 + RuntimeDirectoryMode = "0700"; 187 187 CapabilityBoundingSet = ""; 188 188 PrivateDevices = true; 189 189 PrivateMounts = true;

+1 -1

nixos/modules/services/misc/mx-puppet-discord.nix

··· 107 107 PrivateTmp = true; 108 108 WorkingDirectory = pkgs.mx-puppet-discord; 109 109 StateDirectory = baseNameOf dataDir; 110 - UMask = 0027; 110 + UMask = "0027"; 111 111 112 112 ExecStart = '' 113 113 ${pkgs.mx-puppet-discord}/bin/mx-puppet-discord \

+1 -1

nixos/modules/services/misc/rmfakecloud.nix

··· 138 138 SystemCallArchitectures = "native"; 139 139 WorkingDirectory = serviceDataDir; 140 140 StateDirectory = baseNameOf serviceDataDir; 141 - UMask = 0027; 141 + UMask = "0027"; 142 142 }; 143 143 }; 144 144 };

+1 -1

nixos/modules/services/monitoring/parsedmarc.nix

··· 494 494 Group = "parsedmarc"; 495 495 DynamicUser = true; 496 496 RuntimeDirectory = "parsedmarc"; 497 - RuntimeDirectoryMode = 0700; 497 + RuntimeDirectoryMode = "0700"; 498 498 CapabilityBoundingSet = ""; 499 499 PrivateDevices = true; 500 500 PrivateMounts = true;

+1 -1

nixos/modules/services/web-apps/bookstack.nix

··· 372 372 User = user; 373 373 WorkingDirectory = "${bookstack}"; 374 374 RuntimeDirectory = "bookstack/cache"; 375 - RuntimeDirectoryMode = 0700; 375 + RuntimeDirectoryMode = "0700"; 376 376 }; 377 377 path = [ pkgs.replace-secret ]; 378 378 script =

+2 -2

nixos/modules/services/web-apps/discourse.nix

··· 798 798 "public" 799 799 "sockets" 800 800 ]; 801 - RuntimeDirectoryMode = 0750; 801 + RuntimeDirectoryMode = "0750"; 802 802 StateDirectory = map (p: "discourse/" + p) [ 803 803 "uploads" 804 804 "backups" 805 805 "tmp" 806 806 ]; 807 - StateDirectoryMode = 0750; 807 + StateDirectoryMode = "0750"; 808 808 LogsDirectory = "discourse"; 809 809 TimeoutSec = "infinity"; 810 810 Restart = "on-failure";

+1 -1

nixos/modules/services/web-apps/keycloak.nix

··· 616 616 Group = "keycloak"; 617 617 DynamicUser = true; 618 618 RuntimeDirectory = "keycloak"; 619 - RuntimeDirectoryMode = 0700; 619 + RuntimeDirectoryMode = "0700"; 620 620 AmbientCapabilities = "CAP_NET_BIND_SERVICE"; 621 621 }; 622 622 script = ''

+1 -1

nixos/modules/services/web-apps/snipe-it.nix

··· 394 394 User = user; 395 395 WorkingDirectory = snipe-it; 396 396 RuntimeDirectory = "snipe-it/cache"; 397 - RuntimeDirectoryMode = 0700; 397 + RuntimeDirectoryMode = "0700"; 398 398 }; 399 399 path = [ pkgs.replace-secret ]; 400 400 script =