replaced stash readonly paths with normal binds

flake.lock

@@ -666,11 +666,11 @@
         "sudoku-solver": "sudoku-solver"
       },
       "locked": {
-        "lastModified": 1759462273,
-        "narHash": "sha256-eQVmWzWE9gzLSqEkvURyYoqLmDeiokGbQGkYvQ58kVc=",
+        "lastModified": 1759620370,
+        "narHash": "sha256-GTyxqIhtDTySs8f2l8N1zoS2wEBVFfF60nMJ7jEIWn0=",
         "ref": "refs/heads/master",
-        "rev": "9ab256ded797f78c9e411fe186dde9410be3049d",
-        "revCount": 107,
+        "rev": "6aea10172155c10e63d2efb454e28b9c1e50e3a6",
+        "revCount": 108,
         "type": "git",
         "url": "https://git.servidos.lat/jawz/scripts.git"
       },

modules/servers/stash.nix

@@ -1,7 +1,31 @@
-{ lib, config, ... }:
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
 let
   cfg = config.my.servers.stash;
+  cfgS = config.services.stash;
   setup = import ../factories/mkserver.nix { inherit lib config; };
+  stashPythonFHS = pkgs.buildFHSEnv {
+    name = "stash-python-fhs";
+    targetPkgs =
+      pkgs:
+      builtins.attrValues {
+        inherit (pkgs)
+          python3
+          gcc
+          glibc
+          ;
+        inherit (pkgs.python3Packages)
+          pip
+          virtualenv
+          ;
+        inherit (pkgs.stdenv.cc.cc) lib;
+      };
+    runScript = "bash";
+  };
 in
 {
   options.my.servers.stash = setup.mkOptions "stash" "xxx" 9999;
@@ -29,5 +53,19 @@ in
         ];
       };
     };
+    systemd.services.stash = {
+      environment = {
+        PYTHONPATH = "/var/lib/stash/venv/lib/python3.12/site-packages";
+        LD_LIBRARY_PATH = "${pkgs.stdenv.cc.cc.lib}/lib:${pkgs.glibc}/lib:${pkgs.zlib}/lib:${pkgs.libffi}/lib:${pkgs.openssl}/lib";
+      };
+      serviceConfig = {
+        BindReadOnlyPaths = lib.mkForce [ ];
+        BindPaths = lib.mkIf (cfgS.settings != { }) (map (stash: "${stash.path}") cfgS.settings.stash);
+      };
+    };
+    users.users.stash = {
+      isSystemUser = true;
+      packages = [ stashPythonFHS ];
+    };
   };
 }