module: fix DNS by adding resolv.conf, ssl dirs to

BindReadOnlyPaths This should fix temporary name resolution errors observed in erpnext. Minor cleanup and explanatory comment for confinement.packages We don't use pkgs from path, but prefer explicitly referring to pkgs
2023-07-18 12:23:09 +02:00 · 2023-07-18 12:23:09 +02:00 · ceb04d96de
parent 5519e0d6fe
commit ceb04d96de
1 changed files with 13 additions and 2 deletions
--- a/modules/erpnext.nix
+++ b/modules/erpnext.nix
@ -212,6 +212,9 @@ in
      Type = "simple";
      BindReadOnlyPaths = [
        "/etc/hosts:/etc/hosts"
+        "/etc/resolv.conf:/etc/resolv.conf"
+        "/etc/ssl:/etc/ssl"
+        "/etc/static/ssl:/etc/static/ssl"
        "/run/agenix:/run/agenix"
        "${pkgs.frappe-app}:${pkgs.frappe-app}"
        "${pkgs.frappe-app}/share/apps/frappe:${cfg.benchDir}/apps/frappe"
@ -330,12 +333,20 @@ in
      description = "ERPNext web server";
      confinement = {
        enable = true;
-        packages = [ pkgs.mariadb-client penv ];
+        # pkgs listed here get added to the services' BindReadOnlyPaths
+        # The same is true for pkgs referred to in ExecStartPre, ExecStart, etc.
+        # Explicitily listing these pkgs here for visibility
+        packages = [
+          penv
+          pkgs.coreutils
+          # Dependency for 'bench new-site' subcommand
+          pkgs.mariadb-client
+          pkgs.replace-secret
+        ];
      };
      environment = {
        PYTHON_PATH = "${penv}/${pkgs.python3.sitePackages}";
      };
-      path = [ pkgs.mariadb-client penv pkgs.coreutils ];
      serviceConfig = defaultServiceConfig // {
        TimeoutStartSec = "300s";
        Restart = "on-failure";