From 43258201b95c5645295f4a61e7431b3f09993aba Mon Sep 17 00:00:00 2001 From: Aaron Andersen Date: Fri, 22 Feb 2019 22:55:21 -0500 Subject: [PATCH] nixos/redmine: fix permissions & cleanup --- nixos/modules/services/misc/redmine.nix | 72 +++++++++++-------------- 1 file changed, 32 insertions(+), 40 deletions(-) diff --git a/nixos/modules/services/misc/redmine.nix b/nixos/modules/services/misc/redmine.nix index 98e9c8953c84..c38138d7c978 100644 --- a/nixos/modules/services/misc/redmine.nix +++ b/nixos/modules/services/misc/redmine.nix @@ -234,10 +234,33 @@ in environment.systemPackages = [ cfg.package ]; + # create symlinks for the basic directory layout the redmine package expects + systemd.tmpfiles.rules = [ + "d '${cfg.stateDir}' 0750 ${cfg.user} ${cfg.group} - -" + "d '${cfg.stateDir}/cache' 0750 ${cfg.user} ${cfg.group} - -" + "d '${cfg.stateDir}/config' 0750 ${cfg.user} ${cfg.group} - -" + "d '${cfg.stateDir}/files' 0750 ${cfg.user} ${cfg.group} - -" + "d '${cfg.stateDir}/log' 0750 ${cfg.user} ${cfg.group} - -" + "d '${cfg.stateDir}/plugins' 0750 ${cfg.user} ${cfg.group} - -" + "d '${cfg.stateDir}/public' 0750 ${cfg.user} ${cfg.group} - -" + "d '${cfg.stateDir}/public/plugin_assets' 0750 ${cfg.user} ${cfg.group} - -" + "d '${cfg.stateDir}/public/themes' 0750 ${cfg.user} ${cfg.group} - -" + "d '${cfg.stateDir}/tmp' 0750 ${cfg.user} ${cfg.group} - -" + + "d /run/redmine - - - - -" + "d /run/redmine/public - - - - -" + "L+ /run/redmine/config - - - - ${cfg.stateDir}/config" + "L+ /run/redmine/files - - - - ${cfg.stateDir}/files" + "L+ /run/redmine/log - - - - ${cfg.stateDir}/log" + "L+ /run/redmine/plugins - - - - ${cfg.stateDir}/plugins" + "L+ /run/redmine/public/plugin_assets - - - - ${cfg.stateDir}/public/plugin_assets" + "L+ /run/redmine/public/themes - - - - ${cfg.stateDir}/public/themes" + "L+ /run/redmine/tmp - - - - ${cfg.stateDir}/tmp" + ]; + systemd.services.redmine = { after = [ "network.target" (if cfg.database.type == "mysql2" then "mysql.service" else "postgresql.service") ]; wantedBy = [ "multi-user.target" ]; - environment.HOME = "${cfg.package}/share/redmine"; environment.RAILS_ENV = "production"; environment.RAILS_CACHE = "${cfg.stateDir}/cache"; environment.REDMINE_LANG = "en"; @@ -252,28 +275,16 @@ in subversion ]; preStart = '' - # ensure cache directory exists for db:migrate command - mkdir -p "${cfg.stateDir}/cache" - - # create the basic directory layout the redmine package expects - mkdir -p /run/redmine/public - - for i in config files log plugins tmp; do - mkdir -p "${cfg.stateDir}/$i" - ln -fs "${cfg.stateDir}/$i" /run/redmine/ - done - - for i in plugin_assets themes; do - mkdir -p "${cfg.stateDir}/public/$i" - ln -fs "${cfg.stateDir}/public/$i" /run/redmine/public/ - done - + rm -rf "${cfg.stateDir}/plugins/"* + rm -rf "${cfg.stateDir}/public/themes/"* # start with a fresh config directory # the config directory is copied instead of linked as some mutable data is stored in there - rm -rf "${cfg.stateDir}/config/"* + find "${cfg.stateDir}/config" ! -name "secret_token.rb" -type f -exec rm -f {} + cp -r ${cfg.package}/share/redmine/config.dist/* "${cfg.stateDir}/config/" + chmod -R u+w "${cfg.stateDir}/config" + # link in the application configuration ln -fs ${configurationYml} "${cfg.stateDir}/config/configuration.yml" @@ -282,7 +293,6 @@ in # link in all user specified themes - rm -rf "${cfg.stateDir}/public/themes/"* for theme in ${concatStringsSep " " (mapAttrsToList unpackTheme cfg.themes)}; do ln -fs $theme/* "${cfg.stateDir}/public/themes" done @@ -292,16 +302,11 @@ in # link in all user specified plugins - rm -rf "${cfg.stateDir}/plugins/"* for plugin in ${concatStringsSep " " (mapAttrsToList unpackPlugin cfg.plugins)}; do ln -fs $plugin/* "${cfg.stateDir}/plugins/''${plugin##*-redmine-plugin-}" done - # ensure correct permissions for most files - chmod -R ug+rwX,o-rwx+x "${cfg.stateDir}/" - - # handle database.passwordFile & permissions DBPASS=$(head -n1 ${cfg.database.passwordFile}) cp -f ${databaseYml} "${cfg.stateDir}/config/database.yml" @@ -315,25 +320,13 @@ in chmod 440 "${cfg.stateDir}/config/initializers/secret_token.rb" fi - - # ensure everything is owned by ${cfg.user} - chown -R ${cfg.user}:${cfg.group} "${cfg.stateDir}" - - # execute redmine required commands prior to starting the application - # NOTE: su required in case using mysql socket authentication - /run/wrappers/bin/su -s ${pkgs.bash}/bin/bash -m -l redmine -c '${bundle} exec rake db:migrate' - /run/wrappers/bin/su -s ${pkgs.bash}/bin/bash -m -l redmine -c '${bundle} exec rake redmine:plugins:migrate' - /run/wrappers/bin/su -s ${pkgs.bash}/bin/bash -m -l redmine -c '${bundle} exec rake redmine:load_default_data' - - - # log files don't exist until after first command has been executed - # correct ownership of files generated by calling exec rake ... - chown -R ${cfg.user}:${cfg.group} "${cfg.stateDir}/log" + ${bundle} exec rake db:migrate + ${bundle} exec rake redmine:plugins:migrate + ${bundle} exec rake redmine:load_default_data ''; serviceConfig = { - PermissionsStartOnly = true; # preStart must be run as root Type = "simple"; User = cfg.user; Group = cfg.group; @@ -348,7 +341,6 @@ in { name = "redmine"; group = cfg.group; home = cfg.stateDir; - createHome = true; uid = config.ids.uids.redmine; });