fix(nix): use systemd tmpfiles for data directory creation

The preStart script was trying to chown directories but running as an
unprivileged user, causing permission errors. Instead, use systemd
tmpfiles.rules which run as root during system activation.

This ensures data directories are created with correct ownership before
the service starts.

1 files changed, 9 insertions, 7 deletions

diff --git a/nix/module.nix b/nix/module.nix
index 53a4d77..a175639 100644
--- a/nix/module.nix
+++ b/nix/module.nix
@@ -282,13 +282,7 @@ let
       SystemCallErrorNumber = "EPERM";
     };
 
-    # Ensure data directories exist before starting
-    preStart = ''
-      mkdir -p ${cfg.dataDir}/git
-      mkdir -p ${cfg.dataDir}/relay
-      chown -R ${cfg.user}:${cfg.group} ${cfg.dataDir}
-      chmod 750 ${cfg.dataDir}
-    '';
+    # Directory creation handled by systemd tmpfiles (see config section below)
   };
 
   enabledInstances =
@@ -340,5 +334,13 @@ in {
     systemd.services = mapAttrs'
       (name: cfg: nameValuePair "ngit-grasp-${name}" (mkService name cfg))
       enabledInstances;
+
+    # Create data directories with proper ownership using tmpfiles
+    # This runs as root before the service starts
+    systemd.tmpfiles.rules = flatten (mapAttrsToList (name: cfg: [
+      "d ${cfg.dataDir} 0750 ${cfg.user} ${cfg.group} -"
+      "d ${cfg.dataDir}/git 0750 ${cfg.user} ${cfg.group} -"
+      "d ${cfg.dataDir}/relay 0750 ${cfg.user} ${cfg.group} -"
+    ]) enabledInstances);
   };
 }