From 10fc05bfc1bb3713f37b730987d0a4c539b166c7 Mon Sep 17 00:00:00 2001
From: networkException <git@nwex.de>
Date: Fri, 1 Mar 2024 02:34:06 +0100
Subject: [PATCH] nixos/matrix-synapse: allow synapse to write to directories
 of unix socket paths

this patch takes the path of all unix socket listeners and appends their
respective parent directories to the ReadWritePaths allow list for the
matrix-synapse systemd service.

previously configuring a unix socket in a directory not writable by
synapse would fail.
---
 nixos/modules/services/matrix/synapse.nix | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/nixos/modules/services/matrix/synapse.nix b/nixos/modules/services/matrix/synapse.nix
index e3f9c7742cc7..7291c0fcbcdd 100644
--- a/nixos/modules/services/matrix/synapse.nix
+++ b/nixos/modules/services/matrix/synapse.nix
@@ -1232,7 +1232,8 @@ in {
             ProtectKernelTunables = true;
             ProtectProc = "invisible";
             ProtectSystem = "strict";
-            ReadWritePaths = [ cfg.dataDir cfg.settings.media_store_path ];
+            ReadWritePaths = [ cfg.dataDir cfg.settings.media_store_path ] ++
+              (map (listener: dirOf listener.path) (filter (listener: listener.path != null) cfg.settings.listeners));
             RemoveIPC = true;
             RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
             RestrictNamespaces = true;