23.05: gitea sets custom/conf/app.ini as read-only and fails startup

[peperunas]

Describe the bug

gitea fails to start as custom/conf/app.ini is not writeable:

2023/06/01 21:15:10 ...s/setting/setting.go:369:CreateOrAppendToCustomConf() [F] error saving to custom config: open /var/lib/gitea/custom/conf/app.ini: permission denied

I tried to make it writeable but it's reset to read-only each time the service starts.

Steps To Reproduce

Steps to reproduce the behavior:

1. Rebuild the configuration after moving from 22.11 to 23.05

Notify maintainers

@disassembler @kolaente @Ma27 @techknowlogick

Metadata

Please run nix-shell -p nix-info --run "nix-info -m" and paste the result.

 - system: `"x86_64-linux"`
 - host os: `Linux 5.15.110, NixOS, 23.05 (Stoat)`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.15.0`
 - channels(giulio): `""`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`

[DeeUnderscore]

I had the same error message that came up during gitea-pre-start (so the ExecStartPre script that the NixOS module uses, not Gitea server proper).

This was because I had LFS enabled by setting services.gitea.settings.server.LFS_START_SERVER = "true", rather than services.gitea.lfs.enable = true.

Prior to 23.05, the NixOS module unconditionally provisioned the LFS token in app.ini during ExecStartPre, while now it only does that if services.gitea.lfs.enable is true. If LFS is enabled and the startup script does not provision the token, Gitea takes it upon itself to provision the token, and fails to write it to app.ini.

Of course, there are other issues that could produce the same error.

[peperunas]

What @DeeUnderscore suggested works for me, thank you.

I believe there should be at least a warning or some type of message for the user.

[DeeUnderscore]

We could probably have a warning that comes up when services.gitea.settings.server.LFS_START_SERVER is set but services.gitea.lfs.enable is not. I'm not sure if a straight up assert that fails the build would make sense here, since I can't really imagine why you'd want it this way, but maybe someone has some weird use case.

[Ma27]

A warning should be fine here. Feel free to file a patch for this.

[seqizz]

Another semi-related note:

gitea[9831]: 2023/07/31 22:03:13 cmd/web.go:170:serveInstalled() [E] Unable to update WORK_PATH=/var/lib/gitea to config "/var/lib/gitea/custom/conf/app.ini": failed to save "/var/lib/gitea/custom/conf/app.ini": open /var/lib/gitea/custom/conf/app.ini: permission denied
gitea[9831]: You must set it manually, otherwise there might be bugs when accessing the git repositories.

I couldn't find a similar one on issue list (in this case gitea starts OK but doesn't allow repository pull/push), probably because I am using unstable.gitea package (v1.20.1) on 23.05.

As a nasty workaround, I had to add following to the config:

services.gitea.extraConfig = ''
  [DEFAULT]
  WORK_PATH=/var/lib/gitea
'';