diff options
author | Franz Pletz <fpletz@fnordicwalking.de> | 2015-12-11 17:30:45 +0100 |
---|---|---|
committer | Franz Pletz <fpletz@fnordicwalking.de> | 2015-12-12 16:06:52 +0100 |
commit | e7362a877dd11493d23dcbbee390343b64c0a491 (patch) | |
tree | 00e65b6eb2a1ddc53461c8499dd2b3a2df9a7da3 | |
parent | 1641c19d0b367ebe9eca15f269c9f8dbf020c113 (diff) | |
download | nixlib-e7362a877dd11493d23dcbbee390343b64c0a491.tar nixlib-e7362a877dd11493d23dcbbee390343b64c0a491.tar.gz nixlib-e7362a877dd11493d23dcbbee390343b64c0a491.tar.bz2 nixlib-e7362a877dd11493d23dcbbee390343b64c0a491.tar.lz nixlib-e7362a877dd11493d23dcbbee390343b64c0a491.tar.xz nixlib-e7362a877dd11493d23dcbbee390343b64c0a491.tar.zst nixlib-e7362a877dd11493d23dcbbee390343b64c0a491.zip |
nixos/simp_le: Use systemd for setting user and group
This is much cleaner and we don't depend on sudo.
-rw-r--r-- | nixos/modules/services/security/simp_le.nix | 17 |
1 files changed, 12 insertions, 5 deletions
diff --git a/nixos/modules/services/security/simp_le.nix b/nixos/modules/services/security/simp_le.nix index 31eb89da55c6..12d9f9708164 100644 --- a/nixos/modules/services/security/simp_le.nix +++ b/nixos/modules/services/security/simp_le.nix @@ -145,8 +145,12 @@ in serviceConfig = { Type = "oneshot"; SuccessExitStatus = [ "0" "1" ]; + PermissionsStartOnly = true; + User = data.user; + Group = data.group; + PrivateTmp = true; }; - path = [ pkgs.simp_le pkgs.sudo ]; + path = [ pkgs.simp_le ]; preStart = '' mkdir -p '${cfg.directory}' if [ ! -d '${cpath}' ]; then @@ -157,13 +161,16 @@ in script = '' cd '${cpath}' set +e - sudo -u '${data.user}' -- simp_le ${concatMapStringsSep " " (arg: escapeShellArg (toString arg)) cmdline} + simp_le ${concatMapStringsSep " " (arg: escapeShellArg (toString arg)) cmdline} EXITCODE=$? set -e - if [ "$EXITCODE" = "0" ]; then + echo "$EXITCODE" > /tmp/lastExitCode + exit "$EXITCODE" + ''; + postStop = '' + if [ -e /tmp/lastExitCode ] && [ "$(cat /tmp/lastExitCode)" = "0" ]; then + echo "Executing postRun hook..." ${data.postRun} - else - exit "$EXITCODE" fi ''; }) |