Merge pull request #150 from naturallaw777/copilot/fix-domains-dir-ownership

Fix /var/lib/domains caddy ownership and WordPress ADMIN_EMAIL for bare domains

app/sovran_systemsos_web/server.py

@@ -2779,6 +2779,25 @@ class DomainSetRequest(BaseModel):
 _SAFE_NAME_RE = re.compile(r'^[a-zA-Z0-9_-]+$')
 
 
+def _ensure_domains_dir() -> None:
+    """Create DOMAINS_DIR if needed and ensure it is owned by caddy:root."""
+    os.makedirs(DOMAINS_DIR, exist_ok=True)
+    try:
+        pw = pwd.getpwnam("caddy")
+        os.chown(DOMAINS_DIR, pw.pw_uid, 0)
+    except KeyError:
+        pass
+
+
+def _chown_to_caddy(path: str) -> None:
+    """Set the owner of a file to caddy:root (best-effort)."""
+    try:
+        pw = pwd.getpwnam("caddy")
+        os.chown(path, pw.pw_uid, 0)
+    except KeyError:
+        pass
+
+
 def _validate_safe_name(name: str) -> bool:
     """Return True if name contains only safe path characters (no separators)."""
     return bool(name) and _SAFE_NAME_RE.match(name) is not None
@@ -2789,10 +2808,11 @@ async def api_domains_set(req: DomainSetRequest):
     """Save a domain and optionally register a DDNS URL."""
     if not _validate_safe_name(req.domain_name):
         raise HTTPException(status_code=400, detail="Invalid domain_name")
-    os.makedirs(DOMAINS_DIR, exist_ok=True)
+    _ensure_domains_dir()
     domain_path = os.path.join(DOMAINS_DIR, req.domain_name)
     with open(domain_path, "w") as f:
         f.write(req.domain.strip())
+    _chown_to_caddy(domain_path)
 
     if req.ddns_url:
         ddns_url = req.ddns_url.strip()
@@ -2831,9 +2851,11 @@ class DomainSetEmailRequest(BaseModel):
 @app.post("/api/domains/set-email")
 async def api_domains_set_email(req: DomainSetEmailRequest):
     """Save the SSL certificate email address."""
-    os.makedirs(DOMAINS_DIR, exist_ok=True)
+    _ensure_domains_dir()
-    with open(os.path.join(DOMAINS_DIR, "sslemail"), "w") as f:
+    email_path = os.path.join(DOMAINS_DIR, "sslemail")
+    with open(email_path, "w") as f:
         f.write(req.email.strip())
+    _chown_to_caddy(email_path)
     return {"ok": True}
 
 

file_fixes_and_new_services/element-calling_haven.sh

@@ -34,8 +34,10 @@ FILE=/var/lib/beacons/file_fixes_and_new_services/element-calling_haven/complete
 
 #### MAIN SCRIPT ####
 
+  mkdir -p /var/lib/domains
   touch /var/lib/domains/haven
   touch /var/lib/domains/element-calling
+  chown -R caddy:root /var/lib/domains
 
    if [[ $? != 0 ]]; then
 

modules/core/caddy.nix

@@ -11,6 +11,10 @@ in
     group = "root";
   };
 
+  systemd.tmpfiles.rules = [
+    "d /var/lib/domains 0755 caddy root -"
+  ];
+
   # Override ExecStart + ExecReload to point at the runtime-generated Caddyfile
   systemd.services.caddy.serviceConfig = {
     ExecStart = lib.mkForce [

modules/wordpress.nix

@@ -73,7 +73,11 @@ lib.mkIf config.sovran_systemsOS.services.wordpress {
       DB_HOST="localhost"
       ADMIN_USER=$(pwgen -s 16 1)
       ADMIN_PASS=$(pwgen -s 24 1)
-      ADMIN_EMAIL="$ADMIN_USER@''${DOMAIN#*.}"
+      EMAIL_DOMAIN="''${DOMAIN#*.}"
+      if ! echo "$EMAIL_DOMAIN" | grep -q '\.'; then
+        EMAIL_DOMAIN="$DOMAIN"
+      fi
+      ADMIN_EMAIL="$ADMIN_USER@$EMAIL_DOMAIN"
 
       echo "══════════════════════════════════════════════"
       echo "  WordPress Automated Installation"