diff options
| author | Franz Pletz <fpletz@fnordicwalking.de> | 2019-09-23 15:09:06 +0200 |
|---|---|---|
| committer | Franz Pletz <fpletz@fnordicwalking.de> | 2019-09-23 15:23:31 +0200 |
| commit | 0dc4fe0a44f16e730a422de21f8f5ebdf582f54a (patch) | |
| tree | 05636e9e86e97e29e05fb58f1610ca4747634e8c /nixos | |
| parent | 5b5da3c2f2a6774837a5a999f18b69abf61f60a1 (diff) | |
| download | nixlib-0dc4fe0a44f16e730a422de21f8f5ebdf582f54a.tar nixlib-0dc4fe0a44f16e730a422de21f8f5ebdf582f54a.tar.gz nixlib-0dc4fe0a44f16e730a422de21f8f5ebdf582f54a.tar.bz2 nixlib-0dc4fe0a44f16e730a422de21f8f5ebdf582f54a.tar.lz nixlib-0dc4fe0a44f16e730a422de21f8f5ebdf582f54a.tar.xz nixlib-0dc4fe0a44f16e730a422de21f8f5ebdf582f54a.tar.zst nixlib-0dc4fe0a44f16e730a422de21f8f5ebdf582f54a.zip | |
nixos/systemd: pick more upstream tmpfiles confs
In #68792 it was discovered that /dev/fuse doesn't have
wordl-read-writeable permissions anymore. The cause of this is that the
tmpfiles examples in systemd were reorganized and split into more files.
We thus lost some of the configuration we were depending on.
In this commit some of the new tmpfiles configuration that are
applicable to us are added which also makes wtmp/lastlog in the pam
module not necessary anymore.
Rationale for the new tmpfile configs:
- `journal-nowcow.conf`: Contains chattr +C for journald logs which
makes sense on copy-on-write filesystems like Btrfs. Other filesystems
shouldn't do anything funny when that flag is set.
- `static-nodes-permissions.conf`: Contains some permission overrides
for some device nodes like audio, loop, tun, fuse and kvm.
- `systemd-nspawn.conf`: Makes sure `/var/lib/machines` exists and old
snapshots are properly removed.
- `systemd-tmp.conf`: Removes systemd services related private tmp
folders and temporary coredump files.
- `var.conf`: Creates some useful directories in `/var` which we would
create anyway at some point. Also includes
`/var/log/{wtmp,btmp,lastlog}`.
Fixes #68792.
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/security/pam.nix | 7 | ||||
| -rw-r--r-- | nixos/modules/system/boot/systemd.nix | 5 |
2 files changed, 5 insertions, 7 deletions
diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 3cf09611fba7..a3eb12b06940 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -742,13 +742,6 @@ in environment.etc = mapAttrsToList (n: v: makePAMService v) config.security.pam.services; - systemd.tmpfiles.rules = optionals - (any (s: s.updateWtmp) (attrValues config.security.pam.services)) - [ - "f /var/log/wtmp" - "f /var/log/lastlog" - ]; - security.pam.services = { other.text = '' diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index 2287a82418fe..5cf437bfbcbe 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -858,7 +858,12 @@ in "sysctl.d/50-coredump.conf".source = "${systemd}/example/sysctl.d/50-coredump.conf"; "sysctl.d/50-default.conf".source = "${systemd}/example/sysctl.d/50-default.conf"; + "tmpfiles.d/journal-nocow.conf".source = "${systemd}/example/tmpfiles.d/journal-nocow.conf"; + "tmpfiles.d/static-nodes-permissions.conf".source = "${systemd}/example/tmpfiles.d/static-nodes-permissions.conf"; "tmpfiles.d/systemd.conf".source = "${systemd}/example/tmpfiles.d/systemd.conf"; + "tmpfiles.d/systemd-nspawn.conf".source = "${systemd}/example/tmpfiles.d/system-nspawn.conf"; + "tmpfiles.d/systemd-tmp.conf".source = "${systemd}/example/tmpfiles.d/system-tmp.conf"; + "tmpfiles.d/var.conf".source = "${systemd}/example/tmpfiles.d/var.conf"; "tmpfiles.d/x11.conf".source = "${systemd}/example/tmpfiles.d/x11.conf"; "tmpfiles.d/nixos.conf".text = '' |