nixos/redmine: fix permissions & cleanup
This commit is contained in:
parent
01d8894c4d
commit
43258201b9
1 changed files with 32 additions and 40 deletions
|
@ -234,10 +234,33 @@ in
|
||||||
|
|
||||||
environment.systemPackages = [ cfg.package ];
|
environment.systemPackages = [ cfg.package ];
|
||||||
|
|
||||||
|
# create symlinks for the basic directory layout the redmine package expects
|
||||||
|
systemd.tmpfiles.rules = [
|
||||||
|
"d '${cfg.stateDir}' 0750 ${cfg.user} ${cfg.group} - -"
|
||||||
|
"d '${cfg.stateDir}/cache' 0750 ${cfg.user} ${cfg.group} - -"
|
||||||
|
"d '${cfg.stateDir}/config' 0750 ${cfg.user} ${cfg.group} - -"
|
||||||
|
"d '${cfg.stateDir}/files' 0750 ${cfg.user} ${cfg.group} - -"
|
||||||
|
"d '${cfg.stateDir}/log' 0750 ${cfg.user} ${cfg.group} - -"
|
||||||
|
"d '${cfg.stateDir}/plugins' 0750 ${cfg.user} ${cfg.group} - -"
|
||||||
|
"d '${cfg.stateDir}/public' 0750 ${cfg.user} ${cfg.group} - -"
|
||||||
|
"d '${cfg.stateDir}/public/plugin_assets' 0750 ${cfg.user} ${cfg.group} - -"
|
||||||
|
"d '${cfg.stateDir}/public/themes' 0750 ${cfg.user} ${cfg.group} - -"
|
||||||
|
"d '${cfg.stateDir}/tmp' 0750 ${cfg.user} ${cfg.group} - -"
|
||||||
|
|
||||||
|
"d /run/redmine - - - - -"
|
||||||
|
"d /run/redmine/public - - - - -"
|
||||||
|
"L+ /run/redmine/config - - - - ${cfg.stateDir}/config"
|
||||||
|
"L+ /run/redmine/files - - - - ${cfg.stateDir}/files"
|
||||||
|
"L+ /run/redmine/log - - - - ${cfg.stateDir}/log"
|
||||||
|
"L+ /run/redmine/plugins - - - - ${cfg.stateDir}/plugins"
|
||||||
|
"L+ /run/redmine/public/plugin_assets - - - - ${cfg.stateDir}/public/plugin_assets"
|
||||||
|
"L+ /run/redmine/public/themes - - - - ${cfg.stateDir}/public/themes"
|
||||||
|
"L+ /run/redmine/tmp - - - - ${cfg.stateDir}/tmp"
|
||||||
|
];
|
||||||
|
|
||||||
systemd.services.redmine = {
|
systemd.services.redmine = {
|
||||||
after = [ "network.target" (if cfg.database.type == "mysql2" then "mysql.service" else "postgresql.service") ];
|
after = [ "network.target" (if cfg.database.type == "mysql2" then "mysql.service" else "postgresql.service") ];
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
environment.HOME = "${cfg.package}/share/redmine";
|
|
||||||
environment.RAILS_ENV = "production";
|
environment.RAILS_ENV = "production";
|
||||||
environment.RAILS_CACHE = "${cfg.stateDir}/cache";
|
environment.RAILS_CACHE = "${cfg.stateDir}/cache";
|
||||||
environment.REDMINE_LANG = "en";
|
environment.REDMINE_LANG = "en";
|
||||||
|
@ -252,28 +275,16 @@ in
|
||||||
subversion
|
subversion
|
||||||
];
|
];
|
||||||
preStart = ''
|
preStart = ''
|
||||||
# ensure cache directory exists for db:migrate command
|
rm -rf "${cfg.stateDir}/plugins/"*
|
||||||
mkdir -p "${cfg.stateDir}/cache"
|
rm -rf "${cfg.stateDir}/public/themes/"*
|
||||||
|
|
||||||
# create the basic directory layout the redmine package expects
|
|
||||||
mkdir -p /run/redmine/public
|
|
||||||
|
|
||||||
for i in config files log plugins tmp; do
|
|
||||||
mkdir -p "${cfg.stateDir}/$i"
|
|
||||||
ln -fs "${cfg.stateDir}/$i" /run/redmine/
|
|
||||||
done
|
|
||||||
|
|
||||||
for i in plugin_assets themes; do
|
|
||||||
mkdir -p "${cfg.stateDir}/public/$i"
|
|
||||||
ln -fs "${cfg.stateDir}/public/$i" /run/redmine/public/
|
|
||||||
done
|
|
||||||
|
|
||||||
|
|
||||||
# start with a fresh config directory
|
# start with a fresh config directory
|
||||||
# the config directory is copied instead of linked as some mutable data is stored in there
|
# the config directory is copied instead of linked as some mutable data is stored in there
|
||||||
rm -rf "${cfg.stateDir}/config/"*
|
find "${cfg.stateDir}/config" ! -name "secret_token.rb" -type f -exec rm -f {} +
|
||||||
cp -r ${cfg.package}/share/redmine/config.dist/* "${cfg.stateDir}/config/"
|
cp -r ${cfg.package}/share/redmine/config.dist/* "${cfg.stateDir}/config/"
|
||||||
|
|
||||||
|
chmod -R u+w "${cfg.stateDir}/config"
|
||||||
|
|
||||||
# link in the application configuration
|
# link in the application configuration
|
||||||
ln -fs ${configurationYml} "${cfg.stateDir}/config/configuration.yml"
|
ln -fs ${configurationYml} "${cfg.stateDir}/config/configuration.yml"
|
||||||
|
|
||||||
|
@ -282,7 +293,6 @@ in
|
||||||
|
|
||||||
|
|
||||||
# link in all user specified themes
|
# link in all user specified themes
|
||||||
rm -rf "${cfg.stateDir}/public/themes/"*
|
|
||||||
for theme in ${concatStringsSep " " (mapAttrsToList unpackTheme cfg.themes)}; do
|
for theme in ${concatStringsSep " " (mapAttrsToList unpackTheme cfg.themes)}; do
|
||||||
ln -fs $theme/* "${cfg.stateDir}/public/themes"
|
ln -fs $theme/* "${cfg.stateDir}/public/themes"
|
||||||
done
|
done
|
||||||
|
@ -292,16 +302,11 @@ in
|
||||||
|
|
||||||
|
|
||||||
# link in all user specified plugins
|
# link in all user specified plugins
|
||||||
rm -rf "${cfg.stateDir}/plugins/"*
|
|
||||||
for plugin in ${concatStringsSep " " (mapAttrsToList unpackPlugin cfg.plugins)}; do
|
for plugin in ${concatStringsSep " " (mapAttrsToList unpackPlugin cfg.plugins)}; do
|
||||||
ln -fs $plugin/* "${cfg.stateDir}/plugins/''${plugin##*-redmine-plugin-}"
|
ln -fs $plugin/* "${cfg.stateDir}/plugins/''${plugin##*-redmine-plugin-}"
|
||||||
done
|
done
|
||||||
|
|
||||||
|
|
||||||
# ensure correct permissions for most files
|
|
||||||
chmod -R ug+rwX,o-rwx+x "${cfg.stateDir}/"
|
|
||||||
|
|
||||||
|
|
||||||
# handle database.passwordFile & permissions
|
# handle database.passwordFile & permissions
|
||||||
DBPASS=$(head -n1 ${cfg.database.passwordFile})
|
DBPASS=$(head -n1 ${cfg.database.passwordFile})
|
||||||
cp -f ${databaseYml} "${cfg.stateDir}/config/database.yml"
|
cp -f ${databaseYml} "${cfg.stateDir}/config/database.yml"
|
||||||
|
@ -315,25 +320,13 @@ in
|
||||||
chmod 440 "${cfg.stateDir}/config/initializers/secret_token.rb"
|
chmod 440 "${cfg.stateDir}/config/initializers/secret_token.rb"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
# ensure everything is owned by ${cfg.user}
|
|
||||||
chown -R ${cfg.user}:${cfg.group} "${cfg.stateDir}"
|
|
||||||
|
|
||||||
|
|
||||||
# execute redmine required commands prior to starting the application
|
# execute redmine required commands prior to starting the application
|
||||||
# NOTE: su required in case using mysql socket authentication
|
${bundle} exec rake db:migrate
|
||||||
/run/wrappers/bin/su -s ${pkgs.bash}/bin/bash -m -l redmine -c '${bundle} exec rake db:migrate'
|
${bundle} exec rake redmine:plugins:migrate
|
||||||
/run/wrappers/bin/su -s ${pkgs.bash}/bin/bash -m -l redmine -c '${bundle} exec rake redmine:plugins:migrate'
|
${bundle} exec rake redmine:load_default_data
|
||||||
/run/wrappers/bin/su -s ${pkgs.bash}/bin/bash -m -l redmine -c '${bundle} exec rake redmine:load_default_data'
|
|
||||||
|
|
||||||
|
|
||||||
# log files don't exist until after first command has been executed
|
|
||||||
# correct ownership of files generated by calling exec rake ...
|
|
||||||
chown -R ${cfg.user}:${cfg.group} "${cfg.stateDir}/log"
|
|
||||||
'';
|
'';
|
||||||
|
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
PermissionsStartOnly = true; # preStart must be run as root
|
|
||||||
Type = "simple";
|
Type = "simple";
|
||||||
User = cfg.user;
|
User = cfg.user;
|
||||||
Group = cfg.group;
|
Group = cfg.group;
|
||||||
|
@ -348,7 +341,6 @@ in
|
||||||
{ name = "redmine";
|
{ name = "redmine";
|
||||||
group = cfg.group;
|
group = cfg.group;
|
||||||
home = cfg.stateDir;
|
home = cfg.stateDir;
|
||||||
createHome = true;
|
|
||||||
uid = config.ids.uids.redmine;
|
uid = config.ids.uids.redmine;
|
||||||
});
|
});
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue