Pixelfed nixos module can't serve images

[wlcx]

Describe the bug

The Pixelfed nixos module results in a configuration where the web server is unable to read the uploaded user images.

• Media files are uploaded as the pixelfed user, with file mode 0700
• Nginx is then unable to serve those files - e.g

  May 31 08:47:57 pixelfed nginx[456]: 2023/05/31 08:47:57 [crit] 456#456: *123 stat() "/nix/store/7bm468m2n4f0pljngwv6ad58283m6l6a-pixelfed-pixelfed/public/storage/m/_v2/568711314458775553/c537ce87c-f5971d/SQE7yPyNuyOo/K3yL7HIA4HazNkCmvJENwANOay7klGFqM6SJFUnZ.jpg" failed (13: Permission denied), client: 192.168.101.2, server: <snip>, request: "GET /storage/m/_v2/568711314458775553/c537ce87c-f5971d/SQE7yPyNuyOo/K3yL7HIA4HazNkCmvJENwANOay7klGFqM6SJFUnZ.jpg HTTP/1.1", host: "<snip>"

• This comes up in issues on the pixelfed repo, e.g https://github.com/pixelfed/pixelfed/issues/3801 - the common solution seems to be to run the pixelfed php fpm and the web server as the same user.

I am running Pixelfed in a nixos container, but I don't think this should affect anything?

Steps To Reproduce

Steps to reproduce the behavior:

1. Configure a pixelfed instance
2. Upload a post
3. Try to view that post (federated or locally)

Notify maintainers

@RaitoBezarius

[RaitoBezarius]

We need to add NGINX to the Pixelfed group I guess.

Le mer. 31 mai 2023 à 09:58, Sam W @.***> a écrit :

Describe the bug

The Pixelfed nixos module results in a configuration where the web server is unable to read the uploaded user images.

• Media files are uploaded as the pixelfed user, with file mode 0700

• Nginx is then unable to serve those files - e.g

  May 31 08:47:57 pixelfed nginx[456]: 2023/05/31 08:47:57 [crit] 456#456: *123 stat() "/nix/store/7bm468m2n4f0pljngwv6ad58283m6l6a-pixelfed-pixelfed/public/storage/m/_v2/568711314458775553/c537ce87c-f5971d/SQE7yPyNuyOo/K3yL7HIA4HazNkCmvJENwANOay7klGFqM6SJFUnZ.jpg" failed (13: Permission denied), client: 192.168.101.2, server: , request: "GET /storage/m/_v2/568711314458775553/c537ce87c-f5971d/SQE7yPyNuyOo/K3yL7HIA4HazNkCmvJENwANOay7klGFqM6SJFUnZ.jpg HTTP/1.1", host: ""

• This comes up in issues on the pixelfed repo, e.g pixelfed/pixelfed#3801 https://github.com/pixelfed/pixelfed/issues/3801 - the common solution seems to be to run the pixelfed php fpm and the web server as the same user.

I am running Pixelfed in a nixos container, but I don't think this should affect anything? Steps To Reproduce

Steps to reproduce the behavior:

1. Configure a pixelfed instance
2. Upload a post
3. Try to view that post (federated or locally)

Notify maintainers

@RaitoBezarius https://github.com/RaitoBezarius

— Reply to this email directly, view it on GitHub https://github.com/NixOS/nixpkgs/issues/235147, or unsubscribe https://github.com/notifications/unsubscribe-auth/AACMZRFTWYPBOMOJJ2UDUMLXI323TANCNFSM6AAAAAAYVB6JZE . You are receiving this because you were mentioned.Message ID: @.***>

[wlcx]

Looks like this might be fixed in 0.11.8! https://github.com/pixelfed/pixelfed/commit/22da2647c7f28f7e1d6a588f4549c3326aee9356

[wlcx]

We need to add NGINX to the Pixelfed group I guess.

It already is by default, the issue is that files/directories get created with no group read permission. But as per above comment, looks like a version bump might fix this :)

[jenselofsson]

This is still an issue for me, even after the bump to 0.11.8 here: https://github.com/NixOS/nixpkgs/pull/238307

My theory is that Pixelfed still sets incorrect permissions for images created in app/public. The fix that @wlcx linked to https://github.com/pixelfed/pixelfed/commit/22da2647c7f28f7e1d6a588f4549c3326aee9356 only fixes the permissions for images stored as "local", and not as "public": https://github.com/pixelfed/pixelfed/blob/dev/config/filesystems.php#L61

The the pixelfed-module seems to store the images in storage/app/public/.../ which is why I think that they are getting the incorrect permissions.

That is at least my thoughts on it without doing too much digging around.

[wlcx]

Yeah I think I'm seeing this too.

[jenselofsson]

I tried adding "FILESYSTEM_DRIVER" = "local" to the pixelfed settings, as detailed in https://docs.pixelfed.org/technical-documentation/config/#filesystem_driver

But it had no effect at all. It's also a bit confusing since "local" is the default, but the path where the images are stored makes it seem like "public" is used.

[kivikakk]

Can confirm still reproduces on 0.11.11 (i.e. as of nixos-23.11). storage is 0750, as is storage/m, but storage/m/_v2 is 0700, as are its subdirectories and files.

[RaitoBezarius]

Argh, I missed the reopening. I will take a look again when I can.