Unverified Commit 10fc05bf authored by networkException's avatar networkException
Browse files

nixos/matrix-synapse: allow synapse to write to directories of unix socket paths 

this patch takes the path of all unix socket listeners and appends their
respective parent directories to the ReadWritePaths allow list for the
matrix-synapse systemd service.

previously configuring a unix socket in a directory not writable by
synapse would fail.
parent 2f2208ac

nixos/modules/services/matrix/synapse.nix

+2 −1
Original line number Diff line number Diff line
@@ -1232,7 +1232,8 @@ in { 
            ProtectKernelTunables = true;

            ProtectProc = "invisible";

            ProtectSystem = "strict";

            ReadWritePaths = [ cfg.dataDir cfg.settings.media_store_path ];

            ReadWritePaths = [ cfg.dataDir cfg.settings.media_store_path ] ++

              (map (listener: dirOf listener.path) (filter (listener: listener.path != null) cfg.settings.listeners));

            RemoveIPC = true;

            RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];

            RestrictNamespaces = true;