From 0fe47395569c72f050f7cc4a59c78875eca3e58c Mon Sep 17 00:00:00 2001
From: cy <hi@cything.io>
Date: Sat, 11 Jan 2025 17:16:29 -0500
Subject: [PATCH] nixos/garage: add user-given path to ReadWritePaths

If the user has specified a custom data_dir or meta_dir, this results in
garage service failing with read-only filesystem error since the service
runs with DynamicUser by default.
---
 nixos/modules/services/web-servers/garage.nix | 49 +++++++++++--------
 1 file changed, 28 insertions(+), 21 deletions(-)

diff --git a/nixos/modules/services/web-servers/garage.nix b/nixos/modules/services/web-servers/garage.nix
index bfc3fed4a2a5a..764812831902f 100644
--- a/nixos/modules/services/web-servers/garage.nix
+++ b/nixos/modules/services/web-servers/garage.nix
@@ -11,13 +11,6 @@ let
   cfg = config.services.garage;
   toml = pkgs.formats.toml { };
   configFile = toml.generate "garage.toml" cfg.settings;
-
-  anyHasPrefix =
-    prefix: strOrList:
-    if isString strOrList then
-      hasPrefix prefix strOrList
-    else
-      any ({ path, ... }: hasPrefix prefix path) strOrList;
 in
 {
   meta = {
@@ -44,13 +37,13 @@ in
     };
 
     logLevel = mkOption {
-      type = types.enum ([
+      type = types.enum [
         "error"
         "warn"
         "info"
         "debug"
         "trace"
-      ]);
+      ];
       default = "info";
       example = "debug";
       description = "Garage log level, see <https://garagehq.deuxfleurs.fr/documentation/quick-start/#launching-the-garage-server> for examples.";
@@ -125,18 +118,32 @@ in
       restartTriggers = [
         configFile
       ] ++ (lib.optional (cfg.environmentFile != null) cfg.environmentFile);
-      serviceConfig = {
-        ExecStart = "${cfg.package}/bin/garage server";
-
-        StateDirectory = mkIf (
-          anyHasPrefix "/var/lib/garage" cfg.settings.data_dir
-          || hasPrefix "/var/lib/garage" cfg.settings.metadata_dir
-        ) "garage";
-        DynamicUser = lib.mkDefault true;
-        ProtectHome = true;
-        NoNewPrivileges = true;
-        EnvironmentFile = lib.optional (cfg.environmentFile != null) cfg.environmentFile;
-      };
+      serviceConfig =
+        let
+          paths = lib.flatten (
+            with cfg.settings;
+            [
+              metadata_dir
+            ]
+            # data_dir can either be a string or a list of attrs
+            # if data_dir is a list, the actual path will in in the `path` attribute of each item
+            # see https://garagehq.deuxfleurs.fr/documentation/reference-manual/configuration/#data_dir
+            ++ lib.optional (lib.isList data_dir) (map (item: item.path) data_dir)
+            ++ lib.optional (lib.isString data_dir) [ data_dir ]
+          );
+          isDefault = lib.hasPrefix "/var/lib/garage";
+          isDefaultStateDirectory = lib.any isDefault paths;
+        in
+        {
+          ExecStart = "${cfg.package}/bin/garage server";
+
+          StateDirectory = lib.mkIf isDefaultStateDirectory "garage";
+          DynamicUser = lib.mkDefault true;
+          ProtectHome = true;
+          NoNewPrivileges = true;
+          EnvironmentFile = lib.optional (cfg.environmentFile != null) cfg.environmentFile;
+          ReadWritePaths = lib.filter (x: !(isDefault x)) (lib.flatten [ paths ]);
+        };
       environment = {
         RUST_LOG = lib.mkDefault "garage=${cfg.logLevel}";
       } // cfg.extraEnvironment;