Skip to content

Commit

Permalink
Merge pull request #56265 from aanderse/permissions-start-only
Browse files Browse the repository at this point in the history 
replace deprecated usage of PermissionsStartOnly (part 2)
  • Loading branch information
@grahamc
grahamc committed Jun 25, 2019
2 parents 880bc93 + de6e5ea commit 38c28ef
Show file tree
Hide file tree
Showing 33 changed files with 142 additions and 183 deletions.
10 changes: 5 additions & 5 deletions nixos/modules/services/audio/mopidy.nix
View file
Expand Up @@ -70,25 +70,25 @@ in {

config = mkIf cfg.enable {

systemd.tmpfiles.rules = [
"d '${cfg.dataDir}' - mopidy mopidy - -"
];

systemd.services.mopidy = {
wantedBy = [ "multi-user.target" ];
after = [ "network.target" "sound.target" ];
description = "mopidy music player daemon";
preStart = "mkdir -p ${cfg.dataDir} && chown -R mopidy:mopidy ${cfg.dataDir}";
serviceConfig = {
ExecStart = "${mopidyEnv}/bin/mopidy --config ${concatStringsSep ":" ([mopidyConf] ++ cfg.extraConfigFiles)}";
User = "mopidy";
PermissionsStartOnly = true;
};
};

systemd.services.mopidy-scan = {
description = "mopidy local files scanner";
preStart = "mkdir -p ${cfg.dataDir} && chown -R mopidy:mopidy ${cfg.dataDir}";
serviceConfig = {
ExecStart = "${mopidyEnv}/bin/mopidy --config ${concatStringsSep ":" ([mopidyConf] ++ cfg.extraConfigFiles)} local scan";
User = "mopidy";
PermissionsStartOnly = true;
Type = "oneshot";
};
};
Expand All @@ -98,7 +98,7 @@ in {
group = "mopidy";
extraGroups = [ "audio" ];
description = "Mopidy daemon user";
home = "${cfg.dataDir}";
home = cfg.dataDir;
};

users.groups.mopidy.gid = gid;
Expand Down
6 changes: 4 additions & 2 deletions nixos/modules/services/audio/slimserver.nix
View file
Expand Up @@ -42,15 +42,17 @@ in {

config = mkIf cfg.enable {

systemd.tmpfiles.rules = [
"d '${cfg.dataDir}' - slimserver slimserver - -"
];

systemd.services.slimserver = {
after = [ "network.target" ];
description = "Slim Server for Logitech Squeezebox Players";
wantedBy = [ "multi-user.target" ];

preStart = "mkdir -p ${cfg.dataDir} && chown -R slimserver:slimserver ${cfg.dataDir}";
serviceConfig = {
User = "slimserver";
PermissionsStartOnly = true;
# Issue 40589: Disable broken image/video support (audio still works!)
ExecStart = "${cfg.package}/slimserver.pl --logdir ${cfg.dataDir}/logs --prefsdir ${cfg.dataDir}/prefs --cachedir ${cfg.dataDir}/cache --noimage --novideo";
};
Expand Down
9 changes: 4 additions & 5 deletions nixos/modules/services/computing/boinc/client.nix
View file
Expand Up @@ -105,19 +105,18 @@ in
isSystemUser = true;
};

systemd.tmpfiles.rules = [
"d '${cfg.dataDir}' - boinc - - -"
];

systemd.services.boinc = {
description = "BOINC Client";
after = ["network.target" "local-fs.target"];
wantedBy = ["multi-user.target"];
preStart = ''
mkdir -p ${cfg.dataDir}
chown boinc ${cfg.dataDir}
'';
script = ''
${fhsEnvExecutable} --dir ${cfg.dataDir} --redirectio ${allowRemoteGuiRpcFlag}
'';
serviceConfig = {
PermissionsStartOnly = true; # preStart must be run as root
User = "boinc";
Nice = 10;
};
Expand Down
14 changes: 7 additions & 7 deletions nixos/modules/services/databases/firebird.nix
View file
Expand Up @@ -95,6 +95,11 @@ in

environment.systemPackages = [cfg.package];

systemd.tmpfiles.rules = [
"d '${dataDir}' 0700 ${cfg.user} - - -"
"d '${systemDir}' 0700 ${cfg.user} - - -"
];

systemd.services.firebird =
{ description = "Firebird Super-Server";

Expand All @@ -104,21 +109,16 @@ in
# is a better way
preStart =
''
mkdir -m 0700 -p \
"${dataDir}" \
"${systemDir}" \
/var/log/firebird
if ! test -e "${systemDir}/security2.fdb"; then
cp ${firebird}/security2.fdb "${systemDir}"
fi
chown -R ${cfg.user} "${dataDir}" "${systemDir}" /var/log/firebird
chmod -R 700 "${dataDir}" "${systemDir}" /var/log/firebird
'';

serviceConfig.PermissionsStartOnly = true; # preStart must be run as root
serviceConfig.User = cfg.user;
serviceConfig.LogsDirectory = "firebird";
serviceConfig.LogsDirectoryMode = "0700";
serviceConfig.ExecStart = ''${firebird}/bin/fbserver -d'';

# TODO think about shutdown
Expand Down
22 changes: 8 additions & 14 deletions nixos/modules/services/databases/foundationdb.nix
View file
Expand Up @@ -359,6 +359,13 @@ in
}
];

systemd.tmpfiles.rules = [
"d /etc/foundationdb 0755 ${cfg.user} ${cfg.group} - -"
"d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -"
"d '${cfg.logDir}' 0770 ${cfg.user} ${cfg.group} - -"
"F '${cfg.pidFile}' - ${cfg.user} ${cfg.group} - -"
];

systemd.services.foundationdb = {
description = "FoundationDB Service";

Expand Down Expand Up @@ -396,25 +403,12 @@ in
path = [ pkg pkgs.coreutils ];

preStart = ''
rm -f ${cfg.pidfile} && \
touch ${cfg.pidfile} && \
chown -R ${cfg.user}:${cfg.group} ${cfg.pidfile}
for x in "${cfg.logDir}" "${cfg.dataDir}"; do
[ ! -d "$x" ] && mkdir -m 0770 -vp "$x";
chown -R ${cfg.user}:${cfg.group} "$x";
done
[ ! -d /etc/foundationdb ] && \
mkdir -m 0775 -vp /etc/foundationdb && \
chown -R ${cfg.user}:${cfg.group} "/etc/foundationdb"
if [ ! -f /etc/foundationdb/fdb.cluster ]; then
cf=/etc/foundationdb/fdb.cluster
desc=$(tr -dc A-Za-z0-9 </dev/urandom 2>/dev/null | head -c8)
rand=$(tr -dc A-Za-z0-9 </dev/urandom 2>/dev/null | head -c8)
echo ''${desc}:''${rand}@${initialIpAddr}:${builtins.toString cfg.listenPortStart} > $cf
chmod 0664 $cf && chown -R ${cfg.user}:${cfg.group} $cf
chmod 0664 $cf
touch "${cfg.dataDir}/.first_startup"
fi
'';
Expand Down
17 changes: 5 additions & 12 deletions nixos/modules/services/databases/hbase.nix
View file
Expand Up @@ -94,6 +94,11 @@ in {

config = mkIf config.services.hbase.enable {

systemd.tmpfiles.rules = [
"d '${cfg.dataDir}' - ${cfg.user} ${cfg.group} - -"
"d '${cfg.logDir}' - ${cfg.user} ${cfg.group} - -"
];

systemd.services.hbase = {
description = "HBase Server";
wantedBy = [ "multi-user.target" ];
Expand All @@ -103,19 +108,7 @@ in {
HBASE_LOG_DIR = cfg.logDir;
};

preStart =
''
mkdir -p ${cfg.dataDir};
mkdir -p ${cfg.logDir};
if [ "$(id -u)" = 0 ]; then
chown ${cfg.user}:${cfg.group} ${cfg.dataDir}
chown ${cfg.user}:${cfg.group} ${cfg.logDir}
fi
'';

serviceConfig = {
PermissionsStartOnly = true;
User = cfg.user;
Group = cfg.group;
ExecStart = "${cfg.package}/bin/hbase --config ${configDir} master start";
Expand Down
12 changes: 5 additions & 7 deletions nixos/modules/services/logging/graylog.nix
View file
Expand Up @@ -134,6 +134,10 @@ in
};
};

systemd.tmpfiles.rules = [
"d '${cfg.messageJournalDir}' - ${cfg.user} - - -"
];

systemd.services.graylog = with pkgs; {
description = "Graylog Server";
wantedBy = [ "multi-user.target" ];
Expand All @@ -143,8 +147,6 @@ in
};
path = [ pkgs.jre_headless pkgs.which pkgs.procps ];
preStart = ''
mkdir -p /var/lib/graylog -m 755
rm -rf /var/lib/graylog/plugins || true
mkdir -p /var/lib/graylog/plugins -m 755
Expand All @@ -154,14 +156,10 @@ in
for includedplugin in `ls ${cfg.package}/plugin/`; do
ln -s ${cfg.package}/plugin/$includedplugin /var/lib/graylog/plugins/$includedplugin || true
done
chown -R ${cfg.user} /var/lib/graylog
mkdir -p ${cfg.messageJournalDir} -m 755
chown -R ${cfg.user} ${cfg.messageJournalDir}
'';
serviceConfig = {
User="${cfg.user}";
PermissionsStartOnly=true;
StateDirectory = "graylog";
ExecStart = "${cfg.package}/bin/graylogctl run";
};
};
Expand Down
6 changes: 4 additions & 2 deletions nixos/modules/services/logging/heartbeat.nix
View file
Expand Up @@ -54,16 +54,18 @@ in

config = mkIf cfg.enable {

systemd.tmpfiles.rules = [
"d '${cfg.stateDir}' - nobody nogroup - -"
];

systemd.services.heartbeat = with pkgs; {
description = "heartbeat log shipper";
wantedBy = [ "multi-user.target" ];
preStart = ''
mkdir -p "${cfg.stateDir}"/{data,logs}
chown nobody:nogroup "${cfg.stateDir}"/{data,logs}
'';
serviceConfig = {
User = "nobody";
PermissionsStartOnly = true;
AmbientCapabilities = "cap_net_raw";
ExecStart = "${pkgs.heartbeat}/bin/heartbeat -c \"${heartbeatYml}\" -path.data \"${cfg.stateDir}/data\" -path.logs \"${cfg.stateDir}/logs\"";
};
Expand Down
13 changes: 4 additions & 9 deletions nixos/modules/services/mail/dspam.nix
View file
Expand Up @@ -113,19 +113,14 @@ in {
Group = cfg.group;
RuntimeDirectory = optional (cfg.domainSocket == defaultSock) "dspam";
RuntimeDirectoryMode = optional (cfg.domainSocket == defaultSock) "0750";
PermissionsStartOnly = true;
StateDirectory = "dspam";
StateDirectoryMode = "0750";
LogsDirectory = "dspam";
LogsDirectoryMode = "0750";
# DSPAM segfaults on just about every error
Restart = "on-abort";
RestartSec = "1s";
};

preStart = ''
mkdir -m750 -p /var/lib/dspam
chown -R "${cfg.user}:${cfg.group}" /var/lib/dspam
mkdir -m750 -p /var/log/dspam
chown -R "${cfg.user}:${cfg.group}" /var/log/dspam
'';
};
}

Expand Down
7 changes: 4 additions & 3 deletions nixos/modules/services/mail/opendkim.nix
View file
Expand Up @@ -101,13 +101,16 @@ in {

environment.systemPackages = [ pkgs.opendkim ];

systemd.tmpfiles.rules = [
"d '${cfg.keyPath}' - ${cfg.user} ${cfg.group} - -"
];

systemd.services.opendkim = {
description = "OpenDKIM signing and verification daemon";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];

preStart = ''
mkdir -p "${cfg.keyPath}"
cd "${cfg.keyPath}"
if ! test -f ${cfg.selector}.private; then
${pkgs.opendkim}/bin/opendkim-genkey -s ${cfg.selector} -d all-domains-generic-key
Expand All @@ -116,15 +119,13 @@ in {
cat ${cfg.selector}.txt
echo "-------------------------------------------------------------"
fi
chown ${cfg.user}:${cfg.group} ${cfg.selector}.private
'';

serviceConfig = {
ExecStart = "${pkgs.opendkim}/bin/opendkim ${escapeShellArgs args}";
User = cfg.user;
Group = cfg.group;
RuntimeDirectory = optional (cfg.socket == defaultSock) "opendkim";
PermissionsStartOnly = true;
};
};

Expand Down
9 changes: 2 additions & 7 deletions nixos/modules/services/misc/apache-kafka.nix
View file
Expand Up @@ -131,6 +131,8 @@ in {
home = head cfg.logDirs;
};

systemd.tmpfiles.rules = map (logDir: "d '${logDir} 0700 apache-kafka - - -") cfg.logDirs;

systemd.services.apache-kafka = {
description = "Apache Kafka Daemon";
wantedBy = [ "multi-user.target" ];
Expand All @@ -145,15 +147,8 @@ in {
${serverConfig}
'';
User = "apache-kafka";
PermissionsStartOnly = true;
SuccessExitStatus = "0 143";
};
preStart = ''
mkdir -m 0700 -p ${concatStringsSep " " cfg.logDirs}
if [ "$(id -u)" = 0 ]; then
chown apache-kafka ${concatStringsSep " " cfg.logDirs};
fi
'';
};

};
Expand Down
7 changes: 1 addition & 6 deletions nixos/modules/services/misc/couchpotato.nix
View file
Expand Up @@ -19,16 +19,11 @@ in
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];

preStart = ''
mkdir -p /var/lib/couchpotato
chown -R couchpotato:couchpotato /var/lib/couchpotato
'';

serviceConfig = {
Type = "simple";
User = "couchpotato";
Group = "couchpotato";
PermissionsStartOnly = "true";
StateDirectory = "couchpotato";
ExecStart = "${pkgs.couchpotato}/bin/couchpotato";
Restart = "on-failure";
};
Expand Down
15 changes: 6 additions & 9 deletions nixos/modules/services/misc/gollum.nix
View file
Expand Up @@ -75,27 +75,24 @@ in

users.groups.gollum = { };

systemd.tmpfiles.rules = [
"d '${cfg.stateDir}' - ${config.users.users.gollum.name} ${config.users.groups.gollum.name} - -"
];

systemd.services.gollum = {
description = "Gollum wiki";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
path = [ pkgs.git ];

preStart = let
userName = config.users.users.gollum.name;
groupName = config.users.groups.gollum.name;
in ''
# All of this is safe to be run on an existing repo
mkdir -p ${cfg.stateDir}
preStart = ''
# This is safe to be run on an existing repo
git init ${cfg.stateDir}
chmod 755 ${cfg.stateDir}
chown -R ${userName}:${groupName} ${cfg.stateDir}
'';

serviceConfig = {
User = config.users.users.gollum.name;
Group = config.users.groups.gollum.name;
PermissionsStartOnly = true;
ExecStart = ''
${pkgs.gollum}/bin/gollum \
--port ${toString cfg.port} \
Expand Down

0 comments on commit 38c28ef

Please sign in to comment.