From cf8f1fa221c93cffb59c488260362227a1c03d70 Mon Sep 17 00:00:00 2001
From: Noah Masur <7386960+nmasur@users.noreply.github.com>
Date: Tue, 2 Jun 2026 22:21:10 -0400
Subject: [PATCH] fix: allow calibre-web to write through metadata.db symlink

---
 .../nixos/modules/nmasur/presets/services/calibre-web.nix    | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/platforms/nixos/modules/nmasur/presets/services/calibre-web.nix b/platforms/nixos/modules/nmasur/presets/services/calibre-web.nix
index cb51aa82..7fb750b2 100644
--- a/platforms/nixos/modules/nmasur/presets/services/calibre-web.nix
+++ b/platforms/nixos/modules/nmasur/presets/services/calibre-web.nix
@@ -36,6 +36,11 @@ in
       };
     };
 
+    # metadata.db lives in /var/lib/calibre-web-db and is symlinked into the
+    # library dir; ProtectSystem=strict in the upstream module blocks writes
+    # through symlinks unless the real target path is also listed.
+    systemd.services.calibre-web.serviceConfig.ReadWritePaths = [ "/var/lib/calibre-web-db" ];
+
     # Allow web traffic to Caddy
     nmasur.presets.services.caddy.routes = [
       {