From e888db9f4b2b9b4d27f3760160d80c53af35f454 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?=
 <nicolas.jeannerod@moduscreate.com>
Date: Sat, 16 Nov 2024 20:13:42 +0100
Subject: [PATCH] Fix Pixelfed permission issue

---
 services/fediversity/pixelfed.nix | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/services/fediversity/pixelfed.nix b/services/fediversity/pixelfed.nix
index 279445ef..37d33ced 100644
--- a/services/fediversity/pixelfed.nix
+++ b/services/fediversity/pixelfed.nix
@@ -13,6 +13,14 @@ in
 }:
 
 lib.mkIf (config.fediversity.enable && config.fediversity.pixelfed.enable) {
+
+  ## Pixelfed as packaged in nixpkgs has a permission issue that prevents Nginx
+  ## from being able to serving the images. We fix it here, but this should be
+  ## upstreamed. See https://github.com/NixOS/nixpkgs/issues/235147
+  services.pixelfed.package = pkgs.pixelfed.overrideAttrs (old: {
+    patches = (old.patches or [ ]) ++ [ ./pixelfed-group-permissions.patch ];
+  });
+
   services.garage = {
     ensureBuckets = {
       pixelfed = {
@@ -61,6 +69,8 @@ lib.mkIf (config.fediversity.enable && config.fediversity.pixelfed.enable) {
     };
   };
 
+  users.users.nginx.extraGroups = [ "pixelfed" ];
+
   services.pixelfed.settings = {
     ## NOTE: This depends on the targets, eg. universities might want control
     ## over who has an account. We probably want a universal