From 32dc278aca2f3031f4ecc8696898e216db003b19 Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Wed, 17 Apr 2019 20:19:12 +0200
Subject: =?UTF-8?q?lib:=20POSIX.1=E2=80=902013=20->=20POSIX.1=E2=80=902017?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 lib/types.nix | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/lib/types.nix b/lib/types.nix
index 23919af3..2efa5a68 100644
--- a/lib/types.nix
+++ b/lib/types.nix
@@ -542,21 +542,21 @@ rec {
     merge = mergeOneOption;
   };
 
-  # POSIX.1‐2013, 3.278 Portable Filename Character Set
+  # POSIX.1‐2017, 3.281 Portable Filename
   filename = mkOptionType {
-    name = "POSIX filename";
+    name = "POSIX portable filename";
     check = test "[0-9A-Za-z._][0-9A-Za-z._-]*";
     merge = mergeOneOption;
   };
 
-  # POSIX.1‐2013, 3.2 Absolute Pathname
+  # POSIX.1‐2017, 3.2 Absolute Pathname
   absolute-pathname = mkOptionType {
     name = "POSIX absolute pathname";
     check = x: isString x && substring 0 1 x == "/" && pathname.check x;
     merge = mergeOneOption;
   };
 
-  # POSIX.1‐2013, 3.267 Pathname
+  # POSIX.1-2017, 3.271 Pathname
   pathname = mkOptionType {
     name = "POSIX pathname";
     check = x:
@@ -570,9 +570,9 @@ rec {
     merge = mergeOneOption;
   };
 
-  # POSIX.1-2013, 3.431 User Name
+  # POSIX.1-2017, 3.216 Login Name
   username = mkOptionType {
-    name = "POSIX username";
+    name = "POSIX login name";
     check = filename.check;
     merge = mergeOneOption;
   };
-- 
cgit v1.2.3


From 4da25a3fef38e233338414fb651aee9e3143efc1 Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Wed, 17 Apr 2019 20:19:39 +0200
Subject: =?UTF-8?q?lib:=20add=20POSIX.1=E2=80=902017,=203.190=20Group=20Na?=
 =?UTF-8?q?me?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 lib/types.nix | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/lib/types.nix b/lib/types.nix
index 2efa5a68..ffae8c7b 100644
--- a/lib/types.nix
+++ b/lib/types.nix
@@ -542,6 +542,13 @@ rec {
     merge = mergeOneOption;
   };
 
+  # POSIX.1‐2017, 3.190 Group Name
+  groupname = mkOptionType {
+    name = "POSIX group name";
+    check = filename.check;
+    merge = mergeOneOption;
+  };
+
   # POSIX.1‐2017, 3.281 Portable Filename
   filename = mkOptionType {
     name = "POSIX portable filename";
-- 
cgit v1.2.3


From 84ad0b0a93eccdef0e4ca05fd4091f014cb1ac25 Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Wed, 17 Apr 2019 20:45:33 +0200
Subject: krebs.permown: init

Derived from lass/3modules/ensure-permissions.nix
---
 krebs/3modules/default.nix |  1 +
 krebs/3modules/permown.nix | 74 ++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 75 insertions(+)
 create mode 100644 krebs/3modules/permown.nix

diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index 567c077e..4d40f385 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -39,6 +39,7 @@ let
       ./nixpkgs.nix
       ./on-failure.nix
       ./os-release.nix
+      ./permown.nix
       ./per-user.nix
       ./power-action.nix
       ./Reaktor.nix
diff --git a/krebs/3modules/permown.nix b/krebs/3modules/permown.nix
new file mode 100644
index 00000000..7a86013e
--- /dev/null
+++ b/krebs/3modules/permown.nix
@@ -0,0 +1,74 @@
+with import <stockholm/lib>;
+{ config, pkgs, ... }: {
+
+  options.krebs.permown = mkOption {
+    default = [];
+    type = types.listOf (types.submodule {
+      options = {
+        directory-mode = mkOption {
+          default = "=rwx";
+          type = types.str; # TODO
+        };
+        file-mode = mkOption {
+          default = "=rw";
+          type = types.str; # TODO
+        };
+        group = mkOption {
+          apply = x: if x == null then "" else x;
+          default = null;
+          type = types.nullOr types.groupname;
+        };
+        owner = mkOption {
+          type = types.username;
+        };
+        path = mkOption {
+          type = types.absolute-pathname;
+        };
+        umask = mkOption {
+          default = "0027";
+          type = types.file-mode;
+        };
+      };
+    });
+  };
+
+  config.systemd.services = genAttrs' config.krebs.permown (plan: {
+    name = "permown.${replaceStrings ["/"] ["_"] plan.path}";
+    value = {
+      environment = {
+        DIR_MODE = plan.directory-mode;
+        FILE_MODE = plan.file-mode;
+        OWNER_GROUP = "${plan.owner}:${plan.group}";
+        ROOT_PATH = plan.path;
+      };
+      path = [
+        pkgs.coreutils
+        pkgs.findutils
+        pkgs.inotifyTools
+      ];
+      serviceConfig = {
+        ExecStart = pkgs.writeDash "permown" ''
+          set -efu
+
+          find "$ROOT_PATH" -exec chown "$OWNER_GROUP" {} +
+          find "$ROOT_PATH" -type d -exec chmod "$DIR_MODE" {} +
+          find "$ROOT_PATH" -type f -exec chmod "$FILE_MODE" {} +
+
+          inotifywait -mrq -e CREATE --format %w%f "$ROOT_PATH" |
+          while read -r path; do
+            if test -d "$path"; then
+              exec "$0" "$@"
+            fi
+            chown "$OWNER_GROUP" "$path"
+            chmod "$FILE_MODE" "$path"
+          done
+        '';
+        Restart = "always";
+        RestartSec = 10;
+        UMask = plan.umask;
+      };
+      wantedBy = [ "multi-user.target" ];
+    };
+  });
+
+}
-- 
cgit v1.2.3