50 lines
1.2 KiB
Nix
50 lines
1.2 KiB
Nix
{
|
|
lib,
|
|
config,
|
|
pkgs,
|
|
...
|
|
}:
|
|
let
|
|
username = config.hostSpec.username;
|
|
in
|
|
{
|
|
imports = lib.flatten [
|
|
(map lib.custom.relativeToRoot [
|
|
"hosts/global/common/system/lxc.nix"
|
|
"hosts/global/common/system/pool.nix"
|
|
])
|
|
];
|
|
|
|
# Ochre has no access to PVE DockerStorage, so sock will have its own storage
|
|
systemd.tmpfiles.rules = [
|
|
# Create directory with setgid bit and proper ownership
|
|
"d /OchreStorage 2775 1000 1004 -"
|
|
];
|
|
|
|
# Use systemd service to ensure proper permissions with ACLs
|
|
systemd.services.ochre-storage-permissions = {
|
|
description = "Set proper permissions for OchreStorage";
|
|
wantedBy = [ "multi-user.target" ];
|
|
after = [ "local-fs.target" ];
|
|
path = with pkgs; [
|
|
acl
|
|
coreutils
|
|
];
|
|
serviceConfig = {
|
|
Type = "oneshot";
|
|
RemainAfterExit = true;
|
|
};
|
|
script = ''
|
|
# Ensure directory exists and has correct ownership/permissions
|
|
mkdir -p /OchreStorage
|
|
chown 1000:1004 /OchreStorage
|
|
chmod 2775 /OchreStorage
|
|
|
|
# Set default ACLs to ensure all new files/folders inherit 1000:1004
|
|
setfacl -d -m u:1000:rwx /OchreStorage
|
|
setfacl -d -m g:1004:rwx /OchreStorage
|
|
'';
|
|
};
|
|
|
|
environment.systemPackages = with pkgs; [ acl ];
|
|
}
|