Open bgamari opened 8 months ago
For the record, the ownership of the backend database appears to be sensible:
# ls -ld /var/lib/codimd/db.codimd.sqlite
-rw-r--r-- 1 hedgedoc hedgedoc 10043392 Jan 12 21:15 /var/lib/codimd/db.codimd.sqlite
FWIW, I found that moving /var/lib/codimd/db.codimd.sqlite
to /var/lib/hedgedoc/db.hedgedoc.sqlite
(and updating services.hedgedoc.settings.db.storage
) avoids the issue.
Yeah this is expected when using ProtectSystem="strict"
, see https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html
The database path is supposed to be added to ReadWritePaths
, whitelisting it from ProtectSystem
. There was no default value provided for settings.db.storage
before #244941, so I don't think the updated example (and now default) of /var/lib/${name}/db.${name}.sqlite
-> /var/lib/${name}/db.sqlite
should be causing any issues.
I noticed that it only gets added when using settings.db.storage
, and not with settings.dbUrl
. I believe there's a case where if you had configured your database by dbURL = "sqlite:/var/lib/codimd/db.codimd.sqlite"
, it would be broken in this way. But looking at config from the gist, that doesn't seem to be what's happening here.
@bgamari Do you have the value of ReadWritePaths
on the broken setup readily available? If not, I'll set up a reproduction.
Can you please provide a patch after you figured out what's wrong here? I do not really have the time to look into this in detail :/
Describe the bug
The hardening measures of the
hedgedoc
systemd unit taken in https://github.com/NixOS/nixpkgs/pull/244941/commits/a70a3e61d77e64233b12e6ed678fbdf4b694c262 appear to break the service in at least some configurations.Steps To Reproduce
Steps to reproduce the behavior:
nixpkgs
commit prior to the regressing commit: enablehedgedoc
and create some content (the configuration of one affected environment can be found in https://gist.github.com/bgamari/b47127766dbbc4f2536dd290da85efbb)nixos-23.11
Expected behavior
Hedgedoc will continue to operate as expected.
Screenshots
If applicable, add screenshots to help explain your problem.
Additional context
Add any other context about the problem here.
Notify maintainers
Metadata
Please run
nix-shell -p nix-info --run "nix-info -m"
and paste the result.Add a :+1: reaction to issues you find important.