From 05ff7baf488c9d7d4f7aff4850caffe91e092f44 Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <eelco.dolstra@logicblox.com>
Date: Thu, 7 Apr 2011 12:47:20 +0000
Subject: [PATCH] * /var/lib/nova/networks should be readable by the `nobody'
 user,   because dnsmasq runs as nobody and reads its host list from there.

svn path=/nixos/trunk/; revision=26740
---
 modules/virtualisation/nova.nix | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/modules/virtualisation/nova.nix b/modules/virtualisation/nova.nix
index d858e6947a8..f9f6af0b0e2 100644
--- a/modules/virtualisation/nova.nix
+++ b/modules/virtualisation/nova.nix
@@ -59,7 +59,10 @@ in
 
     system.activationScripts.nova =
       ''
-        mkdir -m 700 -p /var/lib/nova
+        mkdir -m 755 -p /var/lib/nova
+        mkdir -m 755 -p /var/lib/nova/networks
+        mkdir -m 700 -p /var/lib/nova/instances
+        mkdir -m 700 -p /var/lib/nova/keys
 
         # Allow the CA certificate generation script (called by
         # nova-api) to work.
@@ -80,7 +83,9 @@ in
 
         startOn = "ip-up";
 
-        path = [ pkgs.openssl ];
+        # `openssl' is required to generate the CA.  `openssh' is
+        # required to generate key pairs.
+        path = [ pkgs.openssl pkgs.openssh ];
           
         exec = "${nova}/bin/nova-api";
       };
@@ -95,6 +100,11 @@ in
 
         startOn = "ip-up";
 
+        preStart =
+          ''
+            mkdir -m 700 -p /var/lib/nova/images
+          '';
+
         exec = "${nova}/bin/nova-objectstore --nodaemon";
       };