diff options
| author | Aaron Andersen <aaron@fosslib.net> | 2019-04-18 20:46:28 -0400 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-04-18 20:46:28 -0400 |
| commit | 3464b50c618931bd8259c830ee2fd734aeab38f9 (patch) | |
| tree | d9f1763592536fc24e5c80229a3499aada14c577 /nixos | |
| parent | ebdf7368f7f72bb3bfcae95e3f0d61c0a9607363 (diff) | |
| parent | 55ddb04a8ae3030fc6363874b65845ec7d2a507b (diff) | |
| download | nixlib-3464b50c618931bd8259c830ee2fd734aeab38f9.tar nixlib-3464b50c618931bd8259c830ee2fd734aeab38f9.tar.gz nixlib-3464b50c618931bd8259c830ee2fd734aeab38f9.tar.bz2 nixlib-3464b50c618931bd8259c830ee2fd734aeab38f9.tar.lz nixlib-3464b50c618931bd8259c830ee2fd734aeab38f9.tar.xz nixlib-3464b50c618931bd8259c830ee2fd734aeab38f9.tar.zst nixlib-3464b50c618931bd8259c830ee2fd734aeab38f9.zip | |
Merge pull request #59389 from aanderse/issue/53853-1
replace deprecated usage of PermissionsStartOnly (part 1)
Diffstat (limited to 'nixos')
32 files changed, 110 insertions, 194 deletions
diff --git a/nixos/modules/services/amqp/rabbitmq.nix b/nixos/modules/services/amqp/rabbitmq.nix index 7373be2a9b0b..302b94de1965 100644 --- a/nixos/modules/services/amqp/rabbitmq.nix +++ b/nixos/modules/services/amqp/rabbitmq.nix @@ -179,11 +179,11 @@ in { } // optionalAttrs (cfg.config != "") { RABBITMQ_ADVANCED_CONFIG_FILE = advanced_config_file; }; serviceConfig = { - PermissionsStartOnly = true; # preStart must be run as root ExecStart = "${cfg.package}/sbin/rabbitmq-server"; ExecStop = "${cfg.package}/sbin/rabbitmqctl shutdown"; User = "rabbitmq"; Group = "rabbitmq"; + LogsDirectory = "rabbitmq"; WorkingDirectory = cfg.dataDir; Type = "notify"; NotifyAccess = "all"; @@ -197,11 +197,8 @@ in { preStart = '' ${optionalString (cfg.cookie != "") '' echo -n ${cfg.cookie} > ${cfg.dataDir}/.erlang.cookie - chown rabbitmq:rabbitmq ${cfg.dataDir}/.erlang.cookie chmod 600 ${cfg.dataDir}/.erlang.cookie ''} - mkdir -p /var/log/rabbitmq - chown rabbitmq:rabbitmq /var/log/rabbitmq ''; }; diff --git a/nixos/modules/services/audio/liquidsoap.nix b/nixos/modules/services/audio/liquidsoap.nix index 66f84ef20762..3a047d10a631 100644 --- a/nixos/modules/services/audio/liquidsoap.nix +++ b/nixos/modules/services/audio/liquidsoap.nix @@ -14,15 +14,10 @@ let description = "${name} liquidsoap stream"; wantedBy = [ "multi-user.target" ]; path = [ pkgs.wget ]; - preStart = - '' - mkdir -p /var/log/liquidsoap - chown liquidsoap -R /var/log/liquidsoap - ''; serviceConfig = { - PermissionsStartOnly="true"; ExecStart = "${pkgs.liquidsoap}/bin/liquidsoap ${stream}"; User = "liquidsoap"; + LogsDirectory = "liquidsoap"; }; }; }; diff --git a/nixos/modules/services/audio/mpd.nix b/nixos/modules/services/audio/mpd.nix index 5bfe2b6a22ad..0df8f9688d25 100644 --- a/nixos/modules/services/audio/mpd.nix +++ b/nixos/modules/services/audio/mpd.nix @@ -158,18 +158,18 @@ in { }; }; + systemd.tmpfiles.rules = [ + "d '${cfg.dataDir}' - ${cfg.user} ${cfg.group} - -" + "d '${cfg.playlistDirectory}' - ${cfg.user} ${cfg.group} - -" + ]; + systemd.services.mpd = { after = [ "network.target" "sound.target" ]; description = "Music Player Daemon"; wantedBy = optional (!cfg.startWhenNeeded) "multi-user.target"; - preStart = '' - mkdir -p "${cfg.dataDir}" && chown -R ${cfg.user}:${cfg.group} "${cfg.dataDir}" - mkdir -p "${cfg.playlistDirectory}" && chown -R ${cfg.user}:${cfg.group} "${cfg.playlistDirectory}" - ''; serviceConfig = { User = "${cfg.user}"; - PermissionsStartOnly = true; ExecStart = "${pkgs.mpd}/bin/mpd --no-daemon ${mpdConf}"; Type = "notify"; LimitRTPRIO = 50; diff --git a/nixos/modules/services/backup/mysql-backup.nix b/nixos/modules/services/backup/mysql-backup.nix index f0c273ffebf1..ba6e154f6b3d 100644 --- a/nixos/modules/services/backup/mysql-backup.nix +++ b/nixos/modules/services/backup/mysql-backup.nix @@ -117,14 +117,12 @@ in enable = true; serviceConfig = { User = cfg.user; - PermissionsStartOnly = true; }; - preStart = '' - mkdir -m 0700 -p ${cfg.location} - chown -R ${cfg.user} ${cfg.location} - ''; script = backupScript; }; + tmpfiles.rules = [ + "d ${cfg.location} 0700 ${cfg.user} - - -" + ]; }; }; diff --git a/nixos/modules/services/backup/postgresql-backup.nix b/nixos/modules/services/backup/postgresql-backup.nix index 11efa47ec5b2..17b410a97f3e 100644 --- a/nixos/modules/services/backup/postgresql-backup.nix +++ b/nixos/modules/services/backup/postgresql-backup.nix @@ -14,11 +14,6 @@ let requires = [ "postgresql.service" ]; - preStart = '' - mkdir -m 0700 -p ${cfg.location} - chown postgres ${cfg.location} - ''; - script = '' umask 0077 # ensure backup is only readable by postgres user @@ -32,7 +27,6 @@ let serviceConfig = { Type = "oneshot"; - PermissionsStartOnly = "true"; User = "postgres"; }; @@ -107,6 +101,11 @@ in { message = "config.services.postgresqlBackup.backupAll cannot be used together with config.services.postgresqlBackup.databases"; }]; } + (mkIf cfg.enable { + systemd.tmpfiles.rules = [ + "d '${cfg.location}' 0700 postgres - - -" + ]; + }) (mkIf (cfg.enable && cfg.backupAll) { systemd.services.postgresqlBackup = postgresqlBackupService "all" "${config.services.postgresql.package}/bin/pg_dumpall"; diff --git a/nixos/modules/services/databases/clickhouse.nix b/nixos/modules/services/databases/clickhouse.nix index 21e0cee34151..dbabcae43ee5 100644 --- a/nixos/modules/services/databases/clickhouse.nix +++ b/nixos/modules/services/databases/clickhouse.nix @@ -1,8 +1,6 @@ { config, lib, pkgs, ... }: let cfg = config.services.clickhouse; - confDir = "/etc/clickhouse-server"; - stateDir = "/var/lib/clickhouse"; in with lib; { @@ -43,20 +41,13 @@ with lib; after = [ "network.target" ]; - preStart = '' - mkdir -p ${stateDir} - chown clickhouse:clickhouse ${confDir} ${stateDir} - ''; - - script = '' - cd "${confDir}" - exec ${pkgs.clickhouse}/bin/clickhouse-server - ''; - serviceConfig = { User = "clickhouse"; Group = "clickhouse"; - PermissionsStartOnly = true; + ConfigurationDirectory = "clickhouse-server"; + StateDirectory = "clickhouse"; + LogsDirectory = "clickhouse"; + ExecStart = "${pkgs.clickhouse}/bin/clickhouse-server --config-file=${pkgs.clickhouse}/etc/clickhouse-server/config.xml"; }; }; diff --git a/nixos/modules/services/databases/couchdb.nix b/nixos/modules/services/databases/couchdb.nix index 84d108d9c747..5ddf8ba4bfbd 100644 --- a/nixos/modules/services/databases/couchdb.nix +++ b/nixos/modules/services/databases/couchdb.nix @@ -158,27 +158,21 @@ in { services.couchdb.configFile = mkDefault (if useVersion2 then "/var/lib/couchdb/local.ini" else "/var/lib/couchdb/couchdb.ini"); + systemd.tmpfiles.rules = [ + "d '${dirOf cfg.uriFile}' - ${cfg.user} ${cfg.group} - -" + "d '${dirOf cfg.logFile}' - ${cfg.user} ${cfg.group} - -" + "d '${cfg.databaseDir}' - ${cfg.user} ${cfg.group} - -" + "d '${cfg.viewIndexDir}' - ${cfg.user} ${cfg.group} - -" + ]; + systemd.services.couchdb = { description = "CouchDB Server"; wantedBy = [ "multi-user.target" ]; preStart = '' - mkdir -p `dirname ${cfg.uriFile}`; - mkdir -p `dirname ${cfg.logFile}`; - mkdir -p ${cfg.databaseDir}; - mkdir -p ${cfg.viewIndexDir}; touch ${cfg.configFile} touch -a ${cfg.logFile} - - if [ "$(id -u)" = 0 ]; then - chown ${cfg.user}:${cfg.group} `dirname ${cfg.uriFile}`; - (test -f ${cfg.uriFile} && chown ${cfg.user}:${cfg.group} ${cfg.uriFile}) || true - chown ${cfg.user}:${cfg.group} ${cfg.databaseDir} - chown ${cfg.user}:${cfg.group} ${cfg.viewIndexDir} - chown ${cfg.user}:${cfg.group} ${cfg.configFile} - chown ${cfg.user}:${cfg.group} ${cfg.logFile} - fi ''; environment = mkIf useVersion2 { @@ -191,7 +185,6 @@ in { }; serviceConfig = { - PermissionsStartOnly = true; User = cfg.user; Group = cfg.group; ExecStart = executable; diff --git a/nixos/modules/services/databases/influxdb.nix b/nixos/modules/services/databases/influxdb.nix index 888bf13c3df8..6868050c8446 100644 --- a/nixos/modules/services/databases/influxdb.nix +++ b/nixos/modules/services/databases/influxdb.nix @@ -157,20 +157,19 @@ in config = mkIf config.services.influxdb.enable { + systemd.tmpfiles.rules = [ + "d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -" + ]; + systemd.services.influxdb = { description = "InfluxDB Server"; wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; serviceConfig = { ExecStart = ''${cfg.package}/bin/influxd -config "${configFile}"''; - User = "${cfg.user}"; - Group = "${cfg.group}"; - PermissionsStartOnly = true; + User = cfg.user; + Group = cfg.group; }; - preStart = '' - mkdir -m 0770 -p ${cfg.dataDir} - if [ "$(id -u)" = 0 ]; then chown -R ${cfg.user}:${cfg.group} ${cfg.dataDir}; fi - ''; postStart = let scheme = if configOptions.http.https-enabled then "-k https" else "http"; diff --git a/nixos/modules/services/databases/memcached.nix b/nixos/modules/services/databases/memcached.nix index 7af452e4dced..052ff1f308eb 100644 --- a/nixos/modules/services/databases/memcached.nix +++ b/nixos/modules/services/databases/memcached.nix @@ -78,11 +78,6 @@ in after = [ "network.target" ]; serviceConfig = { - PermissionsStartOnly = true; - ExecStartPre = optionals cfg.enableUnixSocket [ - "${pkgs.coreutils}/bin/install -d -o ${cfg.user} /run/memcached/" - "${pkgs.coreutils}/bin/chown -R ${cfg.user} /run/memcached/" - ]; ExecStart = let networking = if cfg.enableUnixSocket @@ -91,12 +86,13 @@ in in "${memcached}/bin/memcached ${networking} -m ${toString cfg.maxMemory} -c ${toString cfg.maxConnections} ${concatStringsSep " " cfg.extraOptions}"; User = cfg.user; + RuntimeDirectory = "memcached"; }; }; }; imports = [ (mkRemovedOptionModule ["services" "memcached" "socket"] '' - This option was replaced by a fixed unix socket path at /run/memcached/memcached.sock enabled using services.memached.enableUnixSocket. + This option was replaced by a fixed unix socket path at /run/memcached/memcached.sock enabled using services.memcached.enableUnixSocket. '') ]; diff --git a/nixos/modules/services/databases/stanchion.nix b/nixos/modules/services/databases/stanchion.nix index 9fe49f51edd2..97e55bc70c47 100644 --- a/nixos/modules/services/databases/stanchion.nix +++ b/nixos/modules/services/databases/stanchion.nix @@ -98,7 +98,7 @@ in type = types.path; default = "/var/log/stanchion"; description = '' - Log directory for Stanchino. + Log directory for Stanchion. ''; }; @@ -152,6 +152,11 @@ in users.groups.stanchion.gid = config.ids.gids.stanchion; + systemd.tmpfiles.rules = [ + "d '${cfg.logDir}' - stanchion stanchion --" + "d '${cfg.dataDir}' 0700 stanchion stanchion --" + ]; + systemd.services.stanchion = { description = "Stanchion Server"; @@ -168,25 +173,12 @@ in environment.STANCHION_LOG_DIR = "${cfg.logDir}"; environment.STANCHION_ETC_DIR = "/etc/stanchion"; - preStart = '' - if ! test -e ${cfg.logDir}; then - mkdir -m 0755 -p ${cfg.logDir} - chown -R stanchion:stanchion ${cfg.logDir} - fi - - if ! test -e ${cfg.dataDir}; then - mkdir -m 0700 -p ${cfg.dataDir} - chown -R stanchion:stanchion ${cfg.dataDir} - fi - ''; - serviceConfig = { ExecStart = "${cfg.package}/bin/stanchion console"; ExecStop = "${cfg.package}/bin/stanchion stop"; StandardInput = "tty"; User = "stanchion"; Group = "stanchion"; - PermissionsStartOnly = true; # Give Stanchion a decent amount of time to clean up. TimeoutStopSec = 120; LimitNOFILE = 65536; diff --git a/nixos/modules/services/mail/nullmailer.nix b/nixos/modules/services/mail/nullmailer.nix index 418c02af4b7f..9997d287013e 100644 --- a/nixos/modules/services/mail/nullmailer.nix +++ b/nixos/modules/services/mail/nullmailer.nix @@ -212,6 +212,10 @@ with lib; }; }; + systemd.tmpfiles.rules = [ + "d /var/spool/nullmailer - ${cfg.user} - - -" + ]; + systemd.services.nullmailer = { description = "nullmailer"; wantedBy = [ "multi-user.target" ]; @@ -220,13 +224,11 @@ with lib; preStart = '' mkdir -p /var/spool/nullmailer/{queue,tmp} rm -f /var/spool/nullmailer/trigger && mkfifo -m 660 /var/spool/nullmailer/trigger - chown ${cfg.user} /var/spool/nullmailer/* ''; serviceConfig = { User = cfg.user; Group = cfg.group; - PermissionsStartOnly=true; ExecStart = "${pkgs.nullmailer}/bin/nullmailer-send"; Restart = "always"; }; diff --git a/nixos/modules/services/mail/rss2email.nix b/nixos/modules/services/mail/rss2email.nix index 5f3b2877008f..a123736005ab 100644 --- a/nixos/modules/services/mail/rss2email.nix +++ b/nixos/modules/services/mail/rss2email.nix @@ -94,6 +94,10 @@ in { services.rss2email.config.to = cfg.to; + systemd.tmpfiles.rules = [ + "d /var/rss2email 0700 rss2email rss2email - -" + ]; + systemd.services.rss2email = let conf = pkgs.writeText "rss2email.cfg" (lib.generators.toINI {} ({ DEFAULT = cfg.config; @@ -105,22 +109,16 @@ in { in { preStart = '' - mkdir -p /var/rss2email - chmod 700 /var/rss2email - cp ${conf} /var/rss2email/conf.cfg if [ ! -f /var/rss2email/db.json ]; then echo '{"version":2,"feeds":[]}' > /var/rss2email/db.json fi - - chown -R rss2email:rss2email /var/rss2email ''; path = [ pkgs.system-sendmail ]; serviceConfig = { ExecStart = "${pkgs.rss2email}/bin/r2e -c /var/rss2email/conf.cfg -d /var/rss2email/db.json run"; User = "rss2email"; - PermissionsStartOnly = "true"; }; }; diff --git a/nixos/modules/services/misc/etcd.nix b/nixos/modules/services/misc/etcd.nix index 2d1893dae64b..e4d5322f9b5f 100644 --- a/nixos/modules/services/misc/etcd.nix +++ b/nixos/modules/services/misc/etcd.nix @@ -142,6 +142,10 @@ in { }; config = mkIf cfg.enable { + systemd.tmpfiles.rules = [ + "d '${cfg.dataDir}' 0700 etcd - - -" + ]; + systemd.services.etcd = { description = "etcd key-value store"; wantedBy = [ "multi-user.target" ]; @@ -176,14 +180,8 @@ in { Type = "notify"; ExecStart = "${pkgs.etcd.bin}/bin/etcd"; User = "etcd"; - PermissionsStartOnly = true; LimitNOFILE = 40000; }; - - preStart = '' - mkdir -m 0700 -p ${cfg.dataDir} - if [ "$(id -u)" = 0 ]; then chown etcd ${cfg.dataDir}; fi - ''; }; environment.systemPackages = [ pkgs.etcdctl ]; diff --git a/nixos/modules/services/misc/jackett.nix b/nixos/modules/services/misc/jackett.nix index b18ce2b1f81a..a07f20e5c24b 100644 --- a/nixos/modules/services/misc/jackett.nix +++ b/nixos/modules/services/misc/jackett.nix @@ -38,24 +38,19 @@ in }; config = mkIf cfg.enable { + systemd.tmpfiles.rules = [ + "d '${cfg.dataDir}' 0700 ${cfg.user} ${cfg.group} - -" + ]; + systemd.services.jackett = { description = "Jackett"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - preStart = '' - test -d ${cfg.dataDir} || { - echo "Creating jackett data directory in ${cfg.dataDir}" - mkdir -p ${cfg.dataDir} - } - chown -R ${cfg.user}:${cfg.group} ${cfg.dataDir} - chmod 0700 ${cfg.dataDir} - ''; serviceConfig = { Type = "simple"; User = cfg.user; Group = cfg.group; - PermissionsStartOnly = "true"; ExecStart = "${pkgs.jackett}/bin/Jackett --NoUpdates --DataFolder '${cfg.dataDir}'"; Restart = "on-failure"; }; diff --git a/nixos/modules/services/misc/lidarr.nix b/nixos/modules/services/misc/lidarr.nix index 627f22334fe8..f466402abfc7 100644 --- a/nixos/modules/services/misc/lidarr.nix +++ b/nixos/modules/services/misc/lidarr.nix @@ -17,20 +17,15 @@ in description = "Lidarr"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - preStart = '' - [ ! -d /var/lib/lidarr ] && mkdir -p /var/lib/lidarr - chown -R lidarr:lidarr /var/lib/lidarr - ''; serviceConfig = { Type = "simple"; User = "lidarr"; Group = "lidarr"; - PermissionsStartOnly = "true"; ExecStart = "${pkgs.lidarr}/bin/Lidarr"; Restart = "on-failure"; - StateDirectory = "/var/lib/lidarr/"; + StateDirectory = "lidarr"; StateDirectoryMode = "0770"; }; }; diff --git a/nixos/modules/services/misc/mesos-master.nix b/nixos/modules/services/misc/mesos-master.nix index 0523c6549ed6..572a9847e46c 100644 --- a/nixos/modules/services/misc/mesos-master.nix +++ b/nixos/modules/services/misc/mesos-master.nix @@ -95,6 +95,9 @@ in { config = mkIf cfg.enable { + systemd.tmpfiles.rules = [ + "d '${cfg.workDir}' 0700 - - - -" + ]; systemd.services.mesos-master = { description = "Mesos Master"; wantedBy = [ "multi-user.target" ]; @@ -114,11 +117,7 @@ in { ${toString cfg.extraCmdLineOptions} ''; Restart = "on-failure"; - PermissionsStartOnly = true; }; - preStart = '' - mkdir -m 0700 -p ${cfg.workDir} - ''; }; }; diff --git a/nixos/modules/services/misc/mesos-slave.nix b/nixos/modules/services/misc/mesos-slave.nix index 468c7f36ecc5..170065d0065e 100644 --- a/nixos/modules/services/misc/mesos-slave.nix +++ b/nixos/modules/services/misc/mesos-slave.nix @@ -184,6 +184,9 @@ in { }; config = mkIf cfg.enable { + systemd.tmpfiles.rules = [ + "d '${cfg.workDir}' 0701 - - - -" + ]; systemd.services.mesos-slave = { description = "Mesos Slave"; wantedBy = [ "multi-user.target" ]; @@ -210,11 +213,7 @@ in { --executor_environment_variables=${lib.escapeShellArg (builtins.toJSON cfg.executorEnvironmentVariables)} \ ${toString cfg.extraCmdLineOptions} ''; - PermissionsStartOnly = true; }; - preStart = '' - mkdir -m 0701 -p ${cfg.workDir} - ''; }; }; diff --git a/nixos/modules/services/misc/radarr.nix b/nixos/modules/services/misc/radarr.nix index 9ab26d848325..74444e24043f 100644 --- a/nixos/modules/services/misc/radarr.nix +++ b/nixos/modules/services/misc/radarr.nix @@ -38,24 +38,19 @@ in }; config = mkIf cfg.enable { + systemd.tmpfiles.rules = [ + "d '${cfg.dataDir}' 0700 ${cfg.user} ${cfg.group} - -" + ]; + systemd.services.radarr = { description = "Radarr"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - preStart = '' - test -d ${cfg.dataDir} || { - echo "Creating radarr data directory in ${cfg.dataDir}" - mkdir -p ${cfg.dataDir} - } - chown -R ${cfg.user}:${cfg.group} ${cfg.dataDir} - chmod 0700 ${cfg.dataDir} - ''; serviceConfig = { Type = "simple"; User = cfg.user; Group = cfg.group; - PermissionsStartOnly = "true"; ExecStart = "${pkgs.radarr}/bin/Radarr -nobrowser -data='${cfg.dataDir}'"; Restart = "on-failure"; }; diff --git a/nixos/modules/services/misc/sonarr.nix b/nixos/modules/services/misc/sonarr.nix index a99445a268d7..77c7f0582d0b 100644 --- a/nixos/modules/services/misc/sonarr.nix +++ b/nixos/modules/services/misc/sonarr.nix @@ -39,24 +39,19 @@ in }; config = mkIf cfg.enable { + systemd.tmpfiles.rules = [ + "d '${cfg.dataDir}' 0700 ${cfg.user} ${cfg.group} - -" + ]; + systemd.services.sonarr = { description = "Sonarr"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - preStart = '' - test -d ${cfg.dataDir} || { - echo "Creating sonarr data directory in ${cfg.dataDir}" - mkdir -p ${cfg.dataDir} - } - chown -R ${cfg.user}:${cfg.group} ${cfg.dataDir} - chmod 0700 ${cfg.dataDir} - ''; serviceConfig = { Type = "simple"; User = cfg.user; Group = cfg.group; - PermissionsStartOnly = "true"; ExecStart = "${pkgs.sonarr}/bin/NzbDrone -nobrowser -data='${cfg.dataDir}'"; Restart = "on-failure"; }; diff --git a/nixos/modules/services/misc/zookeeper.nix b/nixos/modules/services/misc/zookeeper.nix index cb7cc97d5a5c..50c84e3c6b80 100644 --- a/nixos/modules/services/misc/zookeeper.nix +++ b/nixos/modules/services/misc/zookeeper.nix @@ -119,6 +119,10 @@ in { config = mkIf cfg.enable { environment.systemPackages = [cfg.package]; + systemd.tmpfiles.rules = [ + "d '${cfg.dataDir}' 0700 zookeeper - - -" + ]; + systemd.services.zookeeper = { description = "Zookeeper Daemon"; wantedBy = [ "multi-user.target" ]; @@ -135,11 +139,8 @@ in { ${configDir}/zoo.cfg ''; User = "zookeeper"; - PermissionsStartOnly = true; }; preStart = '' - mkdir -m 0700 -p ${cfg.dataDir} - if [ "$(id -u)" = 0 ]; then chown zookeeper ${cfg.dataDir}; fi echo "${toString cfg.id}" > ${cfg.dataDir}/myid ''; }; diff --git a/nixos/modules/services/monitoring/collectd.nix b/nixos/modules/services/monitoring/collectd.nix index 45e3312c0f44..6a4c678eb21f 100644 --- a/nixos/modules/services/monitoring/collectd.nix +++ b/nixos/modules/services/monitoring/collectd.nix @@ -79,6 +79,10 @@ in { }; config = mkIf cfg.enable { + systemd.tmpfiles.rules = [ + "d '${cfg.dataDir}' - ${cfg.user} - - -" + ]; + systemd.services.collectd = { description = "Collectd Monitoring Agent"; after = [ "network.target" ]; @@ -87,16 +91,9 @@ in { serviceConfig = { ExecStart = "${cfg.package}/sbin/collectd -C ${conf} -f"; User = cfg.user; - PermissionsStartOnly = true; Restart = "on-failure"; RestartSec = 3; }; - - preStart = '' - mkdir -p "${cfg.dataDir}" - chmod 755 "${cfg.dataDir}" - chown -R ${cfg.user} "${cfg.dataDir}" - ''; }; users.users = optional (cfg.user == "collectd") { diff --git a/nixos/modules/services/network-filesystems/ipfs.nix b/nixos/modules/services/network-filesystems/ipfs.nix index d4fa1eccdf3b..f19bf9d81396 100644 --- a/nixos/modules/services/network-filesystems/ipfs.nix +++ b/nixos/modules/services/network-filesystems/ipfs.nix @@ -226,18 +226,19 @@ in { ipfs.gid = config.ids.gids.ipfs; }; + systemd.tmpfiles.rules = [ + "d '${cfg.dataDir}' - ${cfg.user} ${cfg.group} - -" + ] ++ optionals cfg.autoMount [ + "d '${cfg.ipfsMountDir}' - ${cfg.user} ${cfg.group} - -" + "d '${cfg.ipnsMountDir}' - ${cfg.user} ${cfg.group} - -" + ]; + systemd.services.ipfs-init = recursiveUpdate commonEnv { description = "IPFS Initializer"; after = [ "local-fs.target" ]; before = [ "ipfs.service" "ipfs-offline.service" "ipfs-norouting.service" ]; - preStart = '' - install -m 0755 -o ${cfg.user} -g ${cfg.group} -d ${cfg.dataDir} - '' + optionalString cfg.autoMount '' - install -m 0755 -o ${cfg.user} -g ${cfg.group} -d ${cfg.ipfsMountDir} - install -m 0755 -o ${cfg.user} -g ${cfg.group} -d ${cfg.ipnsMountDir} - ''; script = '' if [[ ! -f ${cfg.dataDir}/config ]]; then ipfs init ${optionalString cfg.emptyRepo "-e"} \ @@ -253,7 +254,6 @@ in { serviceConfig = { Type = "oneshot"; RemainAfterExit = true; - PermissionsStartOnly = true; }; }; diff --git a/nixos/modules/services/networking/mxisd.nix b/nixos/modules/services/networking/mxisd.nix index 0aa6d0d9ecd3..0b9824f29fd7 100644 --- a/nixos/modules/services/networking/mxisd.nix +++ b/nixos/modules/services/networking/mxisd.nix @@ -116,7 +116,6 @@ in { Group = "mxisd"; ExecStart = "${cfg.package}/bin/mxisd --spring.config.location=${cfg.dataDir}/ --spring.profiles.active=systemd --java.security.egd=file:/dev/./urandom"; WorkingDirectory = cfg.dataDir; - PermissionsStartOnly = true; SuccessExitStatus = 143; Restart = "on-failure"; }; diff --git a/nixos/modules/services/networking/smokeping.nix b/nixos/modules/services/networking/smokeping.nix index 9ba6e48f417c..fab3ed5bb39d 100644 --- a/nixos/modules/services/networking/smokeping.nix +++ b/nixos/modules/services/networking/smokeping.nix @@ -285,12 +285,12 @@ in uid = config.ids.uids.smokeping; description = "smokeping daemon user"; home = smokepingHome; + createHome = true; }; systemd.services.smokeping = { wantedBy = [ "multi-user.target"]; serviceConfig = { User = cfg.user; - PermissionsStartOnly = true; Restart = "on-failure"; }; preStart = '' @@ -300,7 +300,6 @@ in cp ${cgiHome} ${smokepingHome}/smokeping.fcgi ${cfg.package}/bin/smokeping --check --config=${configPath} ${cfg.package}/bin/smokeping --static --config=${configPath} - chown -R ${cfg.user} ${smokepingHome} ''; script = ''${cfg.package}/bin/smokeping --config=${configPath} --nodaemon''; }; diff --git a/nixos/modules/services/networking/syncthing.nix b/nixos/modules/services/networking/syncthing.nix index 702481ec5177..114a64dfb175 100644 --- a/nixos/modules/services/networking/syncthing.nix +++ b/nixos/modules/services/networking/syncthing.nix @@ -151,7 +151,6 @@ in { RestartForceExitStatus="3 4"; User = cfg.user; Group = cfg.group; - PermissionsStartOnly = true; ExecStart = '' ${cfg.package}/bin/syncthing \ -no-browser \ diff --git a/nixos/modules/services/security/munge.nix b/nixos/modules/services/security/munge.nix index 504bc66c6d10..1c4f8e20552f 100644 --- a/nixos/modules/services/security/munge.nix +++ b/nixos/modules/services/security/munge.nix @@ -49,21 +49,16 @@ in path = [ pkgs.munge pkgs.coreutils ]; - preStart = '' - chmod 0400 ${cfg.password} - mkdir -p /var/lib/munge -m 0711 - chown -R munge:munge /var/lib/munge - mkdir -p /run/munge -m 0755 - chown -R munge:munge /run/munge - ''; - serviceConfig = { + ExecStartPre = "+${pkgs.coreutils}/bin/chmod 0400 ${cfg.password}"; ExecStart = "${pkgs.munge}/bin/munged --syslog --key-file ${cfg.password}"; PIDFile = "/run/munge/munged.pid"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; - PermissionsStartOnly = "true"; User = "munge"; Group = "munge"; + StateDirectory = "munge"; + StateDirectoryMode = "0711"; + RuntimeDirectory = "munge"; }; }; diff --git a/nixos/modules/services/security/vault.nix b/nixos/modules/services/security/vault.nix index 0b28bc894458..8176c168ca94 100644 --- a/nixos/modules/services/security/vault.nix +++ b/nixos/modules/services/security/vault.nix @@ -119,6 +119,10 @@ in }; users.groups.vault.gid = config.ids.gids.vault; + systemd.tmpfiles.rules = optional (cfg.storagePath != null) [ + "d '${cfg.storagePath}' 0700 vault vault - -" + ]; + systemd.services.vault = { description = "Vault server daemon"; @@ -128,14 +132,9 @@ in restartIfChanged = false; # do not restart on "nixos-rebuild switch". It would seal the storage and disrupt the clients. - preStart = optionalString (cfg.storagePath != null) '' - install -d -m0700 -o vault -g vault "${cfg.storagePath}" - ''; - serviceConfig = { User = "vault"; Group = "vault"; - PermissionsStartOnly = true; ExecStart = "${cfg.package}/bin/vault server -config ${configFile}"; PrivateDevices = true; PrivateTmp = true; diff --git a/nixos/modules/services/torrent/peerflix.nix b/nixos/modules/services/torrent/peerflix.nix index bed6661f84d6..a74f65984328 100644 --- a/nixos/modules/services/torrent/peerflix.nix +++ b/nixos/modules/services/torrent/peerflix.nix @@ -39,6 +39,10 @@ in { ###### implementation config = mkIf cfg.enable { + systemd.tmpfiles.rules = [ + "d '${cfg.stateDir}' - peerflix - - -" + ]; + systemd.services.peerflix = { description = "Peerflix Daemon"; wantedBy = [ "multi-user.target" ]; @@ -47,13 +51,11 @@ in { preStart = '' mkdir -p "${cfg.stateDir}"/{torrents,.config/peerflix-server} - if [ "$(id -u)" = 0 ]; then chown -R peerflix "${cfg.stateDir}"; fi ln -fs "${configFile}" "${cfg.stateDir}/.config/peerflix-server/config.json" ''; serviceConfig = { ExecStart = "${pkgs.nodePackages.peerflix-server}/bin/peerflix-server"; - PermissionsStartOnly = true; User = "peerflix"; }; }; diff --git a/nixos/modules/services/web-apps/codimd.nix b/nixos/modules/services/web-apps/codimd.nix index ee2fc2b9d857..7ae7cd9c52d8 100644 --- a/nixos/modules/services/web-apps/codimd.nix +++ b/nixos/modules/services/web-apps/codimd.nix @@ -899,10 +899,6 @@ in description = "CodiMD Service"; wantedBy = [ "multi-user.target" ]; after = [ "networking.target" ]; - preStart = '' - mkdir -p ${cfg.workDir} - chown -R codimd: ${cfg.workDir} - ''; serviceConfig = { WorkingDirectory = cfg.workDir; ExecStart = "${pkgs.codimd}/bin/codimd"; @@ -912,7 +908,6 @@ in ]; Restart = "always"; User = "codimd"; - PermissionsStartOnly = true; PrivateTmp = true; }; }; diff --git a/nixos/modules/services/web-apps/nexus.nix b/nixos/modules/services/web-apps/nexus.nix index 050f8757fa5f..052dbed6d4f8 100644 --- a/nixos/modules/services/web-apps/nexus.nix +++ b/nixos/modules/services/web-apps/nexus.nix @@ -83,6 +83,8 @@ in users.users."${cfg.user}" = { isSystemUser = true; group = cfg.group; + home = cfg.home; + createHome = true; }; users.groups."${cfg.group}" = {}; @@ -104,8 +106,6 @@ in preStart = '' mkdir -p ${cfg.home}/nexus3/etc - chown -R ${cfg.user}:${cfg.group} ${cfg.home} - if [ ! -f ${cfg.home}/nexus3/etc/nexus.properties ]; then echo "# Jetty section" > ${cfg.home}/nexus3/etc/nexus.properties echo "application-port=${toString cfg.listenPort}" >> ${cfg.home}/nexus3/etc/nexus.properties @@ -124,7 +124,6 @@ in User = cfg.user; Group = cfg.group; PrivateTmp = true; - PermissionsStartOnly = true; LimitNOFILE = 102642; }; }; diff --git a/nixos/modules/services/web-servers/minio.nix b/nixos/modules/services/web-servers/minio.nix index f78a966989b6..cd123000f009 100644 --- a/nixos/modules/services/web-servers/minio.nix +++ b/nixos/modules/services/web-servers/minio.nix @@ -72,19 +72,16 @@ in }; config = mkIf cfg.enable { + systemd.tmpfiles.rules = [ + "d '${cfg.configDir}' - minio minio - -" + "d '${cfg.dataDir}' - minio minio - -" + ]; + systemd.services.minio = { description = "Minio Object Storage"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - preStart = '' - # Make sure directories exist with correct owner - mkdir -p ${cfg.configDir} - chown -R minio:minio ${cfg.configDir} - mkdir -p ${cfg.dataDir} - chown minio:minio ${cfg.dataDir} - ''; serviceConfig = { - PermissionsStartOnly = true; ExecStart = "${cfg.package}/bin/minio server --json --address ${cfg.listenAddress} --config-dir=${cfg.configDir} ${cfg.dataDir}"; Type = "simple"; User = "minio"; diff --git a/nixos/modules/services/web-servers/traefik.nix b/nixos/modules/services/web-servers/traefik.nix index 4674ed0177e6..5bac895d43ac 100644 --- a/nixos/modules/services/web-servers/traefik.nix +++ b/nixos/modules/services/web-servers/traefik.nix @@ -84,18 +84,16 @@ in { }; config = mkIf cfg.enable { + systemd.tmpfiles.rules = [ + "d '${cfg.dataDir}' 0700 traefik traefik - -" + ]; + systemd.services.traefik = { description = "Traefik web server"; after = [ "network-online.target" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { - PermissionsStartOnly = true; ExecStart = ''${cfg.package.bin}/bin/traefik --configfile=${configFile}''; - ExecStartPre = [ - ''${pkgs.coreutils}/bin/mkdir -p "${cfg.dataDir}"'' - ''${pkgs.coreutils}/bin/chmod 700 "${cfg.dataDir}"'' - ''${pkgs.coreutils}/bin/chown -R traefik:traefik "${cfg.dataDir}"'' - ]; Type = "simple"; User = "traefik"; Group = cfg.group; |