diff options
author | Philipp Kern <pkern@google.com> | 2021-01-01 19:56:52 +0100 |
---|---|---|
committer | Philipp Kern <pkern@google.com> | 2021-02-11 10:09:45 +0100 |
commit | 624cc51badb6b3b6aff2ebc7cf8a7243edcc0a0d (patch) | |
tree | cd2e99229b8fb80dadc5d7a9c3b403f3ba574915 /nixos | |
parent | 1db74d1150827d09b9620457af673b2d9b6c2b07 (diff) | |
download | nixlib-624cc51badb6b3b6aff2ebc7cf8a7243edcc0a0d.tar nixlib-624cc51badb6b3b6aff2ebc7cf8a7243edcc0a0d.tar.gz nixlib-624cc51badb6b3b6aff2ebc7cf8a7243edcc0a0d.tar.bz2 nixlib-624cc51badb6b3b6aff2ebc7cf8a7243edcc0a0d.tar.lz nixlib-624cc51badb6b3b6aff2ebc7cf8a7243edcc0a0d.tar.xz nixlib-624cc51badb6b3b6aff2ebc7cf8a7243edcc0a0d.tar.zst nixlib-624cc51badb6b3b6aff2ebc7cf8a7243edcc0a0d.zip |
nixos/spamassassin: Simplify services by using StateDirectory
Let systemd create SpamAssassin's state directory and populate it using the regular updater service. Depend on the updater service on boot but do not propagate failure to the main service. spamd's commands to start and reload the service are still executed as root but user/group are set to properly chown the state directory to the target user. spamd drops privileges itself for its runner children but preserves root on the main daemon (to listen and re-exec).
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/mail/spamassassin.nix | 60 |
1 files changed, 18 insertions, 42 deletions
diff --git a/nixos/modules/services/mail/spamassassin.nix b/nixos/modules/services/mail/spamassassin.nix index 0bbf2df48d40..98d9e925dcd7 100644 --- a/nixos/modules/services/mail/spamassassin.nix +++ b/nixos/modules/services/mail/spamassassin.nix @@ -126,22 +126,19 @@ in }; systemd.services.sa-update = { + # Needs to be able to contact the update server. wants = [ "network-online.target" ]; after = [ "network-online.target" ]; - script = '' - set +e - ${pkgs.su}/bin/su -s "${pkgs.bash}/bin/bash" -c "${pkgs.spamassassin}/bin/sa-update --gpghomedir=/var/lib/spamassassin/sa-update-keys/" spamd - - v=$? - set -e - if [ $v -gt 1 ]; then - echo "sa-update execution error" - exit $v - fi - if [ $v -eq 0 ]; then - systemctl reload spamd.service - fi - ''; + + serviceConfig = { + Type = "oneshot"; + User = "spamd"; + Group = "spamd"; + StateDirectory = "spamassassin"; + ExecStart = "${pkgs.spamassassin}/bin/sa-update --verbose --gpghomedir=%S/spamassassin/sa-update-keys/"; + ExecStartPost = "+${pkgs.systemd}/bin/systemctl -q --no-block try-reload-or-restart spamd.service"; + SuccessExitStatus = "1"; + }; }; systemd.timers.sa-update = { @@ -154,43 +151,22 @@ in }; }; - systemd.services.spamd-init = { - serviceConfig = { - Type = "oneshot"; - }; - script = '' - mkdir -p /var/lib/spamassassin - chown spamd:spamd /var/lib/spamassassin -R - if [ "$(ls -A /var/lib/spamassassin)" = "" ]; then - echo "'/var/lib/spamassassin' is empty, running sa-update..." - set +e - ${pkgs.su}/bin/su -s "${pkgs.bash}/bin/bash" -c "${pkgs.spamassassin}/bin/sa-update --gpghomedir=/var/lib/spamassassin/sa-update-keys/" spamd - v=$? - set -e - # 0 and 1 no error, exitcode > 1 means error: - # https://spamassassin.apache.org/full/3.1.x/doc/sa-update.html#exit_codes - if [ $v -gt 1 ]; then - echo "sa-update execution error" - exit $v - fi - echo "sa-update run successfully." - fi - ''; - }; - systemd.services.spamd = { description = "SpamAssassin Server"; wantedBy = [ "multi-user.target" ]; - wants = [ "spamd-init.service" ]; + wants = [ "sa-update.service" ]; after = [ "network.target" - "spamd-init.service" + "sa-update.service" ]; serviceConfig = { - ExecStart = "${pkgs.spamassassin}/bin/spamd ${optionalString cfg.debug "-D"} --username=spamd --groupname=spamd --virtual-config-dir=/var/lib/spamassassin/user-%u --allow-tell --pidfile=/run/spamd.pid"; - ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + User = "spamd"; + Group = "spamd"; + ExecStart = "+${pkgs.spamassassin}/bin/spamd ${optionalString cfg.debug "-D"} --username=spamd --groupname=spamd --virtual-config-dir=%S/spamassassin/user-%u --allow-tell --pidfile=/run/spamd.pid"; + ExecReload = "+${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + StateDirectory = "spamassassin"; }; }; }; |