From af12eb7baa949bc40155c837741bfd597fd0764e Mon Sep 17 00:00:00 2001
From: DanConwayDev <DanConwayDev@protonmail.com>
Date: Sun, 11 Jan 2026 16:39:20 +0000
Subject: fix(nix): use systemd tmpfiles for data directory creation

The preStart script was trying to chown directories but running as an
unprivileged user, causing permission errors. Instead, use systemd
tmpfiles.rules which run as root during system activation.

This ensures data directories are created with correct ownership before
the service starts.
---
 nix/module.nix | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/nix/module.nix b/nix/module.nix
index 53a4d77..a175639 100644
--- a/nix/module.nix
+++ b/nix/module.nix
@@ -282,13 +282,7 @@ let
       SystemCallErrorNumber = "EPERM";
     };
 
-    # Ensure data directories exist before starting
-    preStart = ''
-      mkdir -p ${cfg.dataDir}/git
-      mkdir -p ${cfg.dataDir}/relay
-      chown -R ${cfg.user}:${cfg.group} ${cfg.dataDir}
-      chmod 750 ${cfg.dataDir}
-    '';
+    # Directory creation handled by systemd tmpfiles (see config section below)
   };
 
   enabledInstances =
@@ -340,5 +334,13 @@ in {
     systemd.services = mapAttrs'
       (name: cfg: nameValuePair "ngit-grasp-${name}" (mkService name cfg))
       enabledInstances;
+
+    # Create data directories with proper ownership using tmpfiles
+    # This runs as root before the service starts
+    systemd.tmpfiles.rules = flatten (mapAttrsToList (name: cfg: [
+      "d ${cfg.dataDir} 0750 ${cfg.user} ${cfg.group} -"
+      "d ${cfg.dataDir}/git 0750 ${cfg.user} ${cfg.group} -"
+      "d ${cfg.dataDir}/relay 0750 ${cfg.user} ${cfg.group} -"
+    ]) enabledInstances);
   };
 }
-- 
cgit v1.2.3