From ceb04d96de4345ad6ea44577c01532a4270dd124 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Tue, 18 Jul 2023 12:23:09 +0200 Subject: [PATCH] module: fix DNS by adding resolv.conf, ssl dirs to BindReadOnlyPaths This should fix temporary name resolution errors observed in erpnext. Minor cleanup and explanatory comment for confinement.packages We don't use pkgs from path, but prefer explicitly referring to pkgs --- modules/erpnext.nix | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/modules/erpnext.nix b/modules/erpnext.nix index 10b61dd..97befb2 100644 --- a/modules/erpnext.nix +++ b/modules/erpnext.nix @@ -212,6 +212,9 @@ in Type = "simple"; BindReadOnlyPaths = [ "/etc/hosts:/etc/hosts" + "/etc/resolv.conf:/etc/resolv.conf" + "/etc/ssl:/etc/ssl" + "/etc/static/ssl:/etc/static/ssl" "/run/agenix:/run/agenix" "${pkgs.frappe-app}:${pkgs.frappe-app}" "${pkgs.frappe-app}/share/apps/frappe:${cfg.benchDir}/apps/frappe" @@ -330,12 +333,20 @@ in description = "ERPNext web server"; confinement = { enable = true; - packages = [ pkgs.mariadb-client penv ]; + # pkgs listed here get added to the services' BindReadOnlyPaths + # The same is true for pkgs referred to in ExecStartPre, ExecStart, etc. + # Explicitily listing these pkgs here for visibility + packages = [ + penv + pkgs.coreutils + # Dependency for 'bench new-site' subcommand + pkgs.mariadb-client + pkgs.replace-secret + ]; }; environment = { PYTHON_PATH = "${penv}/${pkgs.python3.sitePackages}"; }; - path = [ pkgs.mariadb-client penv pkgs.coreutils ]; serviceConfig = defaultServiceConfig // { TimeoutStartSec = "300s"; Restart = "on-failure";