commit af4a43e36a697edbd108d3aabaacadfbe631b294 · tjh.dev/nixpkgs

tjh.dev / nixpkgs

Clone of https://github.com/NixOS/nixpkgs.git (to stress-test knotserver)

fork atom

treewide: convert fake octal ints to strings

These were being cast to strings later and then reinterpreted as
octal.

Yorick van Pelt 3 years ago af4a43e3 4fce8949

+16 -16

12 changed files

expand all

unified split

nixos

modules

security

acme

default.nix

services

logging

journalwatch.nix

matrix

appservice-discord.nix

mautrix-telegram.nix

misc

geoipupdate.nix

mx-puppet-discord.nix

rmfakecloud.nix

monitoring

parsedmarc.nix

web-apps

bookstack.nix

discourse.nix

keycloak.nix

snipe-it.nix

+4 -4

nixos/modules/security/acme/default.nix

··· 26 Type = "oneshot"; 27 User = user; 28 Group = mkDefault "acme"; 29 - UMask = 0022; 30 - StateDirectoryMode = 750; 31 ProtectSystem = "strict"; 32 ReadWritePaths = [ 33 "/var/lib/acme" ··· 85 serviceConfig = commonServiceConfig // { 86 StateDirectory = "acme/.minica"; 87 BindPaths = "/var/lib/acme/.minica:/tmp/ca"; 88 - UMask = 0077; 89 }; 90 91 # Working directory will be /tmp ··· 243 244 serviceConfig = commonServiceConfig // { 245 Group = data.group; 246 - UMask = 0027; 247 248 StateDirectory = "acme/${cert}"; 249

··· 26 Type = "oneshot"; 27 User = user; 28 Group = mkDefault "acme"; 29 + UMask = "0022"; 30 + StateDirectoryMode = "750"; 31 ProtectSystem = "strict"; 32 ReadWritePaths = [ 33 "/var/lib/acme" ··· 85 serviceConfig = commonServiceConfig // { 86 StateDirectory = "acme/.minica"; 87 BindPaths = "/var/lib/acme/.minica:/tmp/ca"; 88 + UMask = "0077"; 89 }; 90 91 # Working directory will be /tmp ··· 243 244 serviceConfig = commonServiceConfig // { 245 Group = data.group; 246 + UMask = "0027"; 247 248 StateDirectory = "acme/${cert}"; 249

+1 -1

nixos/modules/services/logging/journalwatch.nix

··· 239 Type = "oneshot"; 240 # requires a relative directory name to create beneath /var/lib 241 StateDirectory = user; 242 - StateDirectoryMode = 0750; 243 ExecStart = "${pkgs.python3Packages.journalwatch}/bin/journalwatch mail"; 244 # lowest CPU and IO priority, but both still in best-effort class to prevent starvation 245 Nice=19;

··· 239 Type = "oneshot"; 240 # requires a relative directory name to create beneath /var/lib 241 StateDirectory = user; 242 + StateDirectoryMode = "0750"; 243 ExecStart = "${pkgs.python3Packages.journalwatch}/bin/journalwatch mail"; 244 # lowest CPU and IO priority, but both still in best-effort class to prevent starvation 245 Nice=19;

+1 -1

nixos/modules/services/matrix/appservice-discord.nix

··· 137 PrivateTmp = true; 138 WorkingDirectory = appDir; 139 StateDirectory = baseNameOf dataDir; 140 - UMask = 0027; 141 EnvironmentFile = cfg.environmentFile; 142 143 ExecStart = ''

··· 137 PrivateTmp = true; 138 WorkingDirectory = appDir; 139 StateDirectory = baseNameOf dataDir; 140 + UMask = "0027"; 141 EnvironmentFile = cfg.environmentFile; 142 143 ExecStart = ''

+1 -1

nixos/modules/services/matrix/mautrix-telegram.nix

··· 162 PrivateTmp = true; 163 WorkingDirectory = pkgs.mautrix-telegram; # necessary for the database migration scripts to be found 164 StateDirectory = baseNameOf dataDir; 165 - UMask = 0027; 166 EnvironmentFile = cfg.environmentFile; 167 168 ExecStart = ''

··· 162 PrivateTmp = true; 163 WorkingDirectory = pkgs.mautrix-telegram; # necessary for the database migration scripts to be found 164 StateDirectory = baseNameOf dataDir; 165 + UMask = "0027"; 166 EnvironmentFile = cfg.environmentFile; 167 168 ExecStart = ''

+1 -1

nixos/modules/services/misc/geoipupdate.nix

··· 183 DynamicUser = true; 184 ReadWritePaths = cfg.settings.DatabaseDirectory; 185 RuntimeDirectory = "geoipupdate"; 186 - RuntimeDirectoryMode = 0700; 187 CapabilityBoundingSet = ""; 188 PrivateDevices = true; 189 PrivateMounts = true;

··· 183 DynamicUser = true; 184 ReadWritePaths = cfg.settings.DatabaseDirectory; 185 RuntimeDirectory = "geoipupdate"; 186 + RuntimeDirectoryMode = "0700"; 187 CapabilityBoundingSet = ""; 188 PrivateDevices = true; 189 PrivateMounts = true;

+1 -1

nixos/modules/services/misc/mx-puppet-discord.nix

··· 107 PrivateTmp = true; 108 WorkingDirectory = pkgs.mx-puppet-discord; 109 StateDirectory = baseNameOf dataDir; 110 - UMask = 0027; 111 112 ExecStart = '' 113 ${pkgs.mx-puppet-discord}/bin/mx-puppet-discord \

··· 107 PrivateTmp = true; 108 WorkingDirectory = pkgs.mx-puppet-discord; 109 StateDirectory = baseNameOf dataDir; 110 + UMask = "0027"; 111 112 ExecStart = '' 113 ${pkgs.mx-puppet-discord}/bin/mx-puppet-discord \

+1 -1

nixos/modules/services/misc/rmfakecloud.nix

··· 138 SystemCallArchitectures = "native"; 139 WorkingDirectory = serviceDataDir; 140 StateDirectory = baseNameOf serviceDataDir; 141 - UMask = 0027; 142 }; 143 }; 144 };

··· 138 SystemCallArchitectures = "native"; 139 WorkingDirectory = serviceDataDir; 140 StateDirectory = baseNameOf serviceDataDir; 141 + UMask = "0027"; 142 }; 143 }; 144 };

+1 -1

nixos/modules/services/monitoring/parsedmarc.nix

··· 494 Group = "parsedmarc"; 495 DynamicUser = true; 496 RuntimeDirectory = "parsedmarc"; 497 - RuntimeDirectoryMode = 0700; 498 CapabilityBoundingSet = ""; 499 PrivateDevices = true; 500 PrivateMounts = true;

··· 494 Group = "parsedmarc"; 495 DynamicUser = true; 496 RuntimeDirectory = "parsedmarc"; 497 + RuntimeDirectoryMode = "0700"; 498 CapabilityBoundingSet = ""; 499 PrivateDevices = true; 500 PrivateMounts = true;

+1 -1

nixos/modules/services/web-apps/bookstack.nix

··· 372 User = user; 373 WorkingDirectory = "${bookstack}"; 374 RuntimeDirectory = "bookstack/cache"; 375 - RuntimeDirectoryMode = 0700; 376 }; 377 path = [ pkgs.replace-secret ]; 378 script =

··· 372 User = user; 373 WorkingDirectory = "${bookstack}"; 374 RuntimeDirectory = "bookstack/cache"; 375 + RuntimeDirectoryMode = "0700"; 376 }; 377 path = [ pkgs.replace-secret ]; 378 script =

+2 -2

nixos/modules/services/web-apps/discourse.nix

··· 798 "public" 799 "sockets" 800 ]; 801 - RuntimeDirectoryMode = 0750; 802 StateDirectory = map (p: "discourse/" + p) [ 803 "uploads" 804 "backups" 805 "tmp" 806 ]; 807 - StateDirectoryMode = 0750; 808 LogsDirectory = "discourse"; 809 TimeoutSec = "infinity"; 810 Restart = "on-failure";

··· 798 "public" 799 "sockets" 800 ]; 801 + RuntimeDirectoryMode = "0750"; 802 StateDirectory = map (p: "discourse/" + p) [ 803 "uploads" 804 "backups" 805 "tmp" 806 ]; 807 + StateDirectoryMode = "0750"; 808 LogsDirectory = "discourse"; 809 TimeoutSec = "infinity"; 810 Restart = "on-failure";

+1 -1

nixos/modules/services/web-apps/keycloak.nix

··· 616 Group = "keycloak"; 617 DynamicUser = true; 618 RuntimeDirectory = "keycloak"; 619 - RuntimeDirectoryMode = 0700; 620 AmbientCapabilities = "CAP_NET_BIND_SERVICE"; 621 }; 622 script = ''

··· 616 Group = "keycloak"; 617 DynamicUser = true; 618 RuntimeDirectory = "keycloak"; 619 + RuntimeDirectoryMode = "0700"; 620 AmbientCapabilities = "CAP_NET_BIND_SERVICE"; 621 }; 622 script = ''

+1 -1

nixos/modules/services/web-apps/snipe-it.nix

··· 394 User = user; 395 WorkingDirectory = snipe-it; 396 RuntimeDirectory = "snipe-it/cache"; 397 - RuntimeDirectoryMode = 0700; 398 }; 399 path = [ pkgs.replace-secret ]; 400 script =

··· 394 User = user; 395 WorkingDirectory = snipe-it; 396 RuntimeDirectory = "snipe-it/cache"; 397 + RuntimeDirectoryMode = "0700"; 398 }; 399 path = [ pkgs.replace-secret ]; 400 script =