nixos/spamassassin: Simplify services by using StateDirectory

Let systemd create SpamAssassin's state directory and populate it using the
regular updater service. Depend on the updater service on boot but do not
propagate failure to the main service.

spamd's commands to start and reload the service are still executed as
root but user/group are set to properly chown the state directory to the
target user. spamd drops privileges itself for its runner children but
preserves root on the main daemon (to listen and re-exec).

1 files changed, 18 insertions, 42 deletions

diff --git a/nixos/modules/services/mail/spamassassin.nix b/nixos/modules/services/mail/spamassassin.nix
index 0bbf2df48d40..98d9e925dcd7 100644
--- a/nixos/modules/services/mail/spamassassin.nix
+++ b/nixos/modules/services/mail/spamassassin.nix
@@ -126,22 +126,19 @@ in
     };
 
     systemd.services.sa-update = {
+      # Needs to be able to contact the update server.
       wants = [ "network-online.target" ];
       after = [ "network-online.target" ];
-      script = ''
-        set +e
-        ${pkgs.su}/bin/su -s "${pkgs.bash}/bin/bash" -c "${pkgs.spamassassin}/bin/sa-update --gpghomedir=/var/lib/spamassassin/sa-update-keys/" spamd
-
-        v=$?
-        set -e
-        if [ $v -gt 1 ]; then
-          echo "sa-update execution error"
-          exit $v
-        fi
-        if [ $v -eq 0 ]; then
-          systemctl reload spamd.service
-        fi
-      '';
+
+      serviceConfig = {
+        Type = "oneshot";
+        User = "spamd";
+        Group = "spamd";
+        StateDirectory = "spamassassin";
+        ExecStart = "${pkgs.spamassassin}/bin/sa-update --verbose --gpghomedir=%S/spamassassin/sa-update-keys/";
+        ExecStartPost = "+${pkgs.systemd}/bin/systemctl -q --no-block try-reload-or-restart spamd.service";
+        SuccessExitStatus = "1";
+      };
     };
 
     systemd.timers.sa-update = {
@@ -154,43 +151,22 @@ in
       };
     };
 
-    systemd.services.spamd-init = {
-      serviceConfig = {
-        Type = "oneshot";
-      };
-      script = ''
-        mkdir -p /var/lib/spamassassin
-        chown spamd:spamd /var/lib/spamassassin -R
-        if [ "$(ls -A /var/lib/spamassassin)" = "" ]; then
-          echo "'/var/lib/spamassassin' is empty, running sa-update..."
-          set +e
-          ${pkgs.su}/bin/su -s "${pkgs.bash}/bin/bash" -c "${pkgs.spamassassin}/bin/sa-update --gpghomedir=/var/lib/spamassassin/sa-update-keys/" spamd
-          v=$?
-          set -e
-          # 0 and 1 no error, exitcode > 1 means error:
-          # https://spamassassin.apache.org/full/3.1.x/doc/sa-update.html#exit_codes
-          if [ $v -gt 1 ]; then
-            echo "sa-update execution error"
-            exit $v
-          fi
-          echo "sa-update run successfully."
-        fi
-      '';
-    };
-
     systemd.services.spamd = {
       description = "SpamAssassin Server";
 
       wantedBy = [ "multi-user.target" ];
-      wants = [ "spamd-init.service" ];
+      wants = [ "sa-update.service" ];
       after = [
         "network.target"
-        "spamd-init.service"
+        "sa-update.service"
       ];
 
       serviceConfig = {
-        ExecStart = "${pkgs.spamassassin}/bin/spamd ${optionalString cfg.debug "-D"} --username=spamd --groupname=spamd --virtual-config-dir=/var/lib/spamassassin/user-%u --allow-tell --pidfile=/run/spamd.pid";
-        ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
+        User = "spamd";
+        Group = "spamd";
+        ExecStart = "+${pkgs.spamassassin}/bin/spamd ${optionalString cfg.debug "-D"} --username=spamd --groupname=spamd --virtual-config-dir=%S/spamassassin/user-%u --allow-tell --pidfile=/run/spamd.pid";
+        ExecReload = "+${pkgs.coreutils}/bin/kill -HUP $MAINPID";
+        StateDirectory = "spamassassin";
       };
     };
   };