Merge remote-tracking branch 'tv/master'

krebs/3modules/default.nix

@@ -39,6 +39,7 @@ let
       ./nixpkgs.nix
       ./on-failure.nix
       ./os-release.nix
+      ./permown.nix
       ./per-user.nix
       ./power-action.nix
       ./Reaktor.nix

krebs/3modules/permown.nix

@@ -0,0 +1,74 @@
+with import <stockholm/lib>;
+{ config, pkgs, ... }: {
+
+  options.krebs.permown = mkOption {
+    default = [];
+    type = types.listOf (types.submodule {
+      options = {
+        directory-mode = mkOption {
+          default = "=rwx";
+          type = types.str; # TODO
+        };
+        file-mode = mkOption {
+          default = "=rw";
+          type = types.str; # TODO
+        };
+        group = mkOption {
+          apply = x: if x == null then "" else x;
+          default = null;
+          type = types.nullOr types.groupname;
+        };
+        owner = mkOption {
+          type = types.username;
+        };
+        path = mkOption {
+          type = types.absolute-pathname;
+        };
+        umask = mkOption {
+          default = "0027";
+          type = types.file-mode;
+        };
+      };
+    });
+  };
+
+  config.systemd.services = genAttrs' config.krebs.permown (plan: {
+    name = "permown.${replaceStrings ["/"] ["_"] plan.path}";
+    value = {
+      environment = {
+        DIR_MODE = plan.directory-mode;
+        FILE_MODE = plan.file-mode;
+        OWNER_GROUP = "${plan.owner}:${plan.group}";
+        ROOT_PATH = plan.path;
+      };
+      path = [
+        pkgs.coreutils
+        pkgs.findutils
+        pkgs.inotifyTools
+      ];
+      serviceConfig = {
+        ExecStart = pkgs.writeDash "permown" ''
+          set -efu
+
+          find "$ROOT_PATH" -exec chown "$OWNER_GROUP" {} +
+          find "$ROOT_PATH" -type d -exec chmod "$DIR_MODE" {} +
+          find "$ROOT_PATH" -type f -exec chmod "$FILE_MODE" {} +
+
+          inotifywait -mrq -e CREATE --format %w%f "$ROOT_PATH" |
+          while read -r path; do
+            if test -d "$path"; then
+              exec "$0" "$@"
+            fi
+            chown "$OWNER_GROUP" "$path"
+            chmod "$FILE_MODE" "$path"
+          done
+        '';
+        Restart = "always";
+        RestartSec = 10;
+        UMask = plan.umask;
+      };
+      wantedBy = [ "multi-user.target" ];
+    };
+  });
+
+}

lib/types.nix

@@ -542,21 +542,28 @@ rec {
     merge = mergeOneOption;
   };
 
-  # POSIX.1‐2013, 3.278 Portable Filename Character Set
+  # POSIX.1‐2017, 3.190 Group Name
+  groupname = mkOptionType {
+    name = "POSIX group name";
+    check = filename.check;
+    merge = mergeOneOption;
+  };
+
+  # POSIX.1‐2017, 3.281 Portable Filename
   filename = mkOptionType {
-    name = "POSIX filename";
+    name = "POSIX portable filename";
     check = test "[0-9A-Za-z._][0-9A-Za-z._-]*";
     merge = mergeOneOption;
   };
 
-  # POSIX.1‐2013, 3.2 Absolute Pathname
+  # POSIX.1‐2017, 3.2 Absolute Pathname
   absolute-pathname = mkOptionType {
     name = "POSIX absolute pathname";
     check = x: isString x && substring 0 1 x == "/" && pathname.check x;
     merge = mergeOneOption;
   };
 
-  # POSIX.1‐2013, 3.267 Pathname
+  # POSIX.1-2017, 3.271 Pathname
   pathname = mkOptionType {
     name = "POSIX pathname";
     check = x:
@@ -570,9 +577,9 @@ rec {
     merge = mergeOneOption;
   };
 
-  # POSIX.1-2013, 3.431 User Name
+  # POSIX.1-2017, 3.216 Login Name
   username = mkOptionType {
-    name = "POSIX username";
+    name = "POSIX login name";
     check = filename.check;
     merge = mergeOneOption;
   };