diff options
author | Franz Pletz <fpletz@fnordicwalking.de> | 2019-09-23 15:09:06 +0200 |
---|---|---|
committer | Franz Pletz <fpletz@fnordicwalking.de> | 2019-09-23 15:23:31 +0200 |
commit | 0dc4fe0a44f16e730a422de21f8f5ebdf582f54a (patch) | |
tree | 05636e9e86e97e29e05fb58f1610ca4747634e8c /nixos | |
parent | 5b5da3c2f2a6774837a5a999f18b69abf61f60a1 (diff) | |
download | nixlib-0dc4fe0a44f16e730a422de21f8f5ebdf582f54a.tar nixlib-0dc4fe0a44f16e730a422de21f8f5ebdf582f54a.tar.gz nixlib-0dc4fe0a44f16e730a422de21f8f5ebdf582f54a.tar.bz2 nixlib-0dc4fe0a44f16e730a422de21f8f5ebdf582f54a.tar.lz nixlib-0dc4fe0a44f16e730a422de21f8f5ebdf582f54a.tar.xz nixlib-0dc4fe0a44f16e730a422de21f8f5ebdf582f54a.tar.zst nixlib-0dc4fe0a44f16e730a422de21f8f5ebdf582f54a.zip |
nixos/systemd: pick more upstream tmpfiles confs
In #68792 it was discovered that /dev/fuse doesn't have wordl-read-writeable permissions anymore. The cause of this is that the tmpfiles examples in systemd were reorganized and split into more files. We thus lost some of the configuration we were depending on. In this commit some of the new tmpfiles configuration that are applicable to us are added which also makes wtmp/lastlog in the pam module not necessary anymore. Rationale for the new tmpfile configs: - `journal-nowcow.conf`: Contains chattr +C for journald logs which makes sense on copy-on-write filesystems like Btrfs. Other filesystems shouldn't do anything funny when that flag is set. - `static-nodes-permissions.conf`: Contains some permission overrides for some device nodes like audio, loop, tun, fuse and kvm. - `systemd-nspawn.conf`: Makes sure `/var/lib/machines` exists and old snapshots are properly removed. - `systemd-tmp.conf`: Removes systemd services related private tmp folders and temporary coredump files. - `var.conf`: Creates some useful directories in `/var` which we would create anyway at some point. Also includes `/var/log/{wtmp,btmp,lastlog}`. Fixes #68792.
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/security/pam.nix | 7 | ||||
-rw-r--r-- | nixos/modules/system/boot/systemd.nix | 5 |
2 files changed, 5 insertions, 7 deletions
diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 3cf09611fba7..a3eb12b06940 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -742,13 +742,6 @@ in environment.etc = mapAttrsToList (n: v: makePAMService v) config.security.pam.services; - systemd.tmpfiles.rules = optionals - (any (s: s.updateWtmp) (attrValues config.security.pam.services)) - [ - "f /var/log/wtmp" - "f /var/log/lastlog" - ]; - security.pam.services = { other.text = '' diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index 2287a82418fe..5cf437bfbcbe 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -858,7 +858,12 @@ in "sysctl.d/50-coredump.conf".source = "${systemd}/example/sysctl.d/50-coredump.conf"; "sysctl.d/50-default.conf".source = "${systemd}/example/sysctl.d/50-default.conf"; + "tmpfiles.d/journal-nocow.conf".source = "${systemd}/example/tmpfiles.d/journal-nocow.conf"; + "tmpfiles.d/static-nodes-permissions.conf".source = "${systemd}/example/tmpfiles.d/static-nodes-permissions.conf"; "tmpfiles.d/systemd.conf".source = "${systemd}/example/tmpfiles.d/systemd.conf"; + "tmpfiles.d/systemd-nspawn.conf".source = "${systemd}/example/tmpfiles.d/system-nspawn.conf"; + "tmpfiles.d/systemd-tmp.conf".source = "${systemd}/example/tmpfiles.d/system-tmp.conf"; + "tmpfiles.d/var.conf".source = "${systemd}/example/tmpfiles.d/var.conf"; "tmpfiles.d/x11.conf".source = "${systemd}/example/tmpfiles.d/x11.conf"; "tmpfiles.d/nixos.conf".text = '' |