Make hosted forge repo writable for merges

[justinmoon]

Summary

• prepare the canonical bare repo on service start so pika-news owns it and can write new git objects
• set shared-repository mode on the hosted bare repo so SSH pushes and forge merges can both mutate it safely
• keep the fix scoped to the hosted forge state dir used by the deployed service

Why

Manual ph dogfooding found that ph close worked but ph merge consistently failed. The hosted service user could delete branch refs, but it could not write new objects under /var/lib/pika-news/pika.git/objects, so forge merges failed before the ref transaction.

Verification

• nix eval .#nixosConfigurations.pika-build.config.system.build.toplevel.drvPath
• just pre-commit

---

Summary by CodeRabbit

• Chores
  • Improved service initialization with automatic git repository permission and ownership configuration during startup to ensure consistent deployment behavior across environments

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8ce75e9f-cd25-4c56-8431-1402a3d37d81

📥 Commits

Reviewing files that changed from the base of the PR and between 4d6465e and 664c559.

📒 Files selected for processing (1)

• infra/nix/modules/pika-news.nix

---

📝 Walkthrough

Walkthrough

A new canonical git directory variable and pre-start setup script were introduced to the pika-news systemd service. The script ensures proper ownership and permissions on the git repository before service startup, configuring git settings via command-line flags.

Changes

Cohort / File(s)	Summary
Pika-news Service Configuration infra/nix/modules/pika-news.nix	Added canonicalGitDir variable and prepareCanonicalRepo pre-start script to handle git repository ownership, directory permissions (2775), and git configuration (core.sharedRepository, group). Updated systemd service to execute the prep script via ExecStartPre before service launch.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 A fluffy tail twitch and a hop—
The repo now stands pristine and true,
With permissions set and ownership right,
Our pre-start script hops through the night,
Before pika-news takes its flight! 🥕✨

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/ph-merge-perms-fix

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[devin-ai-integration]

Devin Review found 1 potential issue.

View 2 additional findings in Devin Review.

[devin-ai-integration]

🔴 ExecStartPre script runs chown as unprivileged user, will fail and block service startup

The prepareCanonicalRepo script calls chown -R ${serviceUser}:${serviceGroup} "$repo" (line 18), but ExecStartPre runs under the same User/Group as the main service (pika-news). On Linux, only root (or a process with CAP_CHOWN) can execute chown. Since the script uses set -euo pipefail, the chown failure causes the script to exit non-zero, which prevents the service from starting whenever the repo directory exists.

The fix is to prefix the command with + so systemd runs it with full root privileges before dropping to the service user: ExecStartPre = [ "+${prepareCanonicalRepo}" ];.

Suggested change

	ExecStartPre = [ prepareCanonicalRepo ];
	ExecStartPre = [ "+${prepareCanonicalRepo}" ];

---

Was this helpful? React with 👍 or 👎 to provide feedback.