From 4d26ccb8ebc4afe4de0bcbb2d854a4d68605f422 Mon Sep 17 00:00:00 2001
From: Alex Palaistras <alex@deuill.org>
Date: Wed, 4 May 2022 11:29:53 +0100
Subject: [PATCH] nginx: Add default user to shared GID=10000

Users and groups used within Podman containers are usually assigned UID
and GID 10000. Files for these containers are sometimes served by Nginx,
and may be given permissions that restrict access to those outside the
group, but which are intended to be served nonetheless.

This commit adds the pre-defined `nginx` user to a `nginx-shared` group
with GID 10000, which will then allow access to these files as needed.
---
 service/nginx/Containerfile                             | 4 ++++
 service/spectrum/container/config/spectrum.cfg.template | 9 ++++++---
 service/spectrum/container/run-spectrum                 | 4 ++++
 3 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/service/nginx/Containerfile b/service/nginx/Containerfile
index 4c26910..68a151f 100644
--- a/service/nginx/Containerfile
+++ b/service/nginx/Containerfile
@@ -1,7 +1,11 @@
 FROM docker.io/nginx:1.21
 
+RUN addgroup --system --gid 10000 nginx-shared
+RUN gpasswd --add nginx nginx-shared
+
 COPY container/config /etc/nginx
 COPY container/run-nginx /run-nginx
+
 RUN nginx -t
 
 EXPOSE 80 443
diff --git a/service/spectrum/container/config/spectrum.cfg.template b/service/spectrum/container/config/spectrum.cfg.template
index 4b9cedb..af5658b 100644
--- a/service/spectrum/container/config/spectrum.cfg.template
+++ b/service/spectrum/container/config/spectrum.cfg.template
@@ -72,7 +72,7 @@ type = sqlite3
 
 [registration]
 # Enable public registrations
-enable_public_registration=${SPECTRUM_REGISTRATION_ENABLED}
+enable_public_registration = ${SPECTRUM_REGISTRATION_ENABLED}
 
 # Text to display upon user registration form
 # username_label=Jabber JID (e.g. user@server.tld):
@@ -86,8 +86,11 @@ enable_public_registration=${SPECTRUM_REGISTRATION_ENABLED}
 # local_account_server_timeout=10000
 
 [purple]
+# Download user icons for WhatsApp.
+get-icons = true
+
 # Improve compatibility with WhatsApp protocol plugin.
-bridge-compatibility=true
+bridge-compatibility = true
 
 # Handle link-only messages for up to 2MB as media messages instead for WhatsApp.
-embed-max-file-size=2
+embed-max-file-size = 2
diff --git a/service/spectrum/container/run-spectrum b/service/spectrum/container/run-spectrum
index 865d550..0e7be98 100755
--- a/service/spectrum/container/run-spectrum
+++ b/service/spectrum/container/run-spectrum
@@ -6,4 +6,8 @@ for file in /etc/spectrum2/*.template; do
 	envsubst "${ENV_NAMES}" < "${file}" > $(echo "${file}" | awk -F '.template$' '{print $1}')
 done
 
+# Correct permissions for data files.
+chown -R spectrum:spectrum /var/lib/spectrum2 /var/lib/spectrum2-media
+
+# Run entrypoint.
 /usr/bin/spectrum2 -n /etc/spectrum2/spectrum.cfg