nixos/public-inbox: use DynamicUser for readers

public-inbox-{http,nntp,imap}d only need to be able to read the repositories, so they don't need to run as the public-inbox user, which has write permission for /var/lib/public-inbox. Annoyingly, confinement is currently not compatible with DynamicUser, so we can't enable both at the same time.
nixos/public-inbox: don't set RootDirectory=
2026-06-06 05:13:37 +00:00 · 2023-05-28 16:01:22 +00:00 · 2023-05-28 16:01:20 +00:00
1 changed files with 21 additions and 5 deletions
--- a/nixos/modules/services/mail/public-inbox.nix
+++ b/nixos/modules/services/mail/public-inbox.nix
@@ -53,7 +53,9 @@ let
      # if running simultaneous services.
      NonBlocking = true;
      #LimitNOFILE = 30000;
-      User = config.users.users."public-inbox".name;
+      User =
+        lib.mkIf config.systemd.services."public-inbox-${srv}".confinement.enable
+          config.users.users."public-inbox".name;
      Group = config.users.groups."public-inbox".name;
      RuntimeDirectory = [
          "public-inbox-${srv}/perl-inline"
@@ -61,9 +63,7 @@ let
      RuntimeDirectoryMode = "700";
      # This is for BindPaths= and BindReadOnlyPaths=
      # to allow traversal of directories they create inside RootDirectory=
-      UMask = "0066";
-      StateDirectory = ["public-inbox"];
-      StateDirectoryMode = "0750";
+      UMask = "0026";
      WorkingDirectory = stateDir;
      BindReadOnlyPaths = [
          "/etc"
@@ -109,7 +109,6 @@ let
      SystemCallArchitectures = "native";

      # The following options are redundant when confinement is enabled
-      RootDirectory = "/var/empty";
      TemporaryFileSystem = "/";
      PrivateMounts = true;
      MountAPIVFS = true;
@@ -434,8 +433,10 @@ in
      (mkIf cfg.imap.enable
        { public-inbox-imapd = mkMerge [(serviceConfig "imapd") {
          after = [ "public-inbox-init.service" "public-inbox-watch.service" ];
+          environment.PI_DIR = "/var/lib/public-inbox/.public-inbox";
          requires = [ "public-inbox-init.service" ];
          serviceConfig = {
+            DynamicUser = !config.systemd.services."public-inbox-imapd".confinement.enable;
            ExecStart = escapeShellArgs (
              [ "${cfg.package}/bin/public-inbox-imapd" ] ++
              cfg.imap.args ++
@@ -448,8 +449,10 @@ in
      (mkIf cfg.http.enable
        { public-inbox-httpd = mkMerge [(serviceConfig "httpd") {
          after = [ "public-inbox-init.service" "public-inbox-watch.service" ];
+          environment.PI_DIR = "/var/lib/public-inbox/.public-inbox";
          requires = [ "public-inbox-init.service" ];
          serviceConfig = {
+            DynamicUser = !config.systemd.services."public-inbox-httpd".confinement.enable;
            ExecStart = escapeShellArgs (
              [ "${cfg.package}/bin/public-inbox-httpd" ] ++
              cfg.http.args ++
@@ -487,8 +490,10 @@ in
      (mkIf cfg.nntp.enable
        { public-inbox-nntpd = mkMerge [(serviceConfig "nntpd") {
          after = [ "public-inbox-init.service" "public-inbox-watch.service" ];
+          environment.PI_DIR = "/var/lib/public-inbox/.public-inbox";
          requires = [ "public-inbox-init.service" ];
          serviceConfig = {
+            DynamicUser = !config.systemd.services."public-inbox-nntpd".confinement.enable;
            ExecStart = escapeShellArgs (
              [ "${cfg.package}/bin/public-inbox-nntpd" ] ++
              cfg.nntp.args ++
@@ -509,6 +514,10 @@ in
          serviceConfig = {
            ExecStart = "${cfg.package}/bin/public-inbox-watch";
            ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
+            StateDirectory = ["public-inbox"];
+            StateDirectoryMode = "0750";
+            User = config.users.users."public-inbox".name;
+            Group = config.users.groups."public-inbox".name;
          };
        }];
      })
@@ -562,15 +571,22 @@ in
              ls -1 "$inbox" | grep -q '^xap' ||
              ${cfg.package}/bin/public-inbox-index "$inbox"
            done
+
+            # Older versions of the module did not make inboxes group-readable.
+            # chmod -R g+r ${stateDir}/inboxes
          '';
          serviceConfig = {
            Type = "oneshot";
            RemainAfterExit = true;
            StateDirectory = [
+              "public-inbox"
              "public-inbox/.public-inbox"
              "public-inbox/.public-inbox/emergency"
              "public-inbox/inboxes"
            ];
+            StateDirectoryMode = "0750";
+            User = config.users.users."public-inbox".name;
+            Group = config.users.groups."public-inbox".name;
          };
        }];
      })