From 86fd8c910db9856ca0a2932c379e02bcc915bf57 Mon Sep 17 00:00:00 2001 From: Aaron Andersen Date: Sat, 23 Feb 2019 16:05:53 -0500 Subject: [PATCH 01/34] nixos/charybdis: replace deprecated usage of PermissionsStartOnly --- nixos/modules/services/networking/charybdis.nix | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/nixos/modules/services/networking/charybdis.nix b/nixos/modules/services/networking/charybdis.nix index 3d02dc8d1375..e3aba063f87b 100644 --- a/nixos/modules/services/networking/charybdis.nix +++ b/nixos/modules/services/networking/charybdis.nix @@ -83,6 +83,10 @@ in gid = config.ids.gids.ircd; }; + systemd.tmpfiles.rules = [ + "d ${cfg.statedir} - ${cfg.user} ${cfg.group} - -" + ]; + systemd.services.charybdis = { description = "Charybdis IRC daemon"; wantedBy = [ "multi-user.target" ]; @@ -93,12 +97,7 @@ in ExecStart = "${charybdis}/bin/charybdis -foreground -logfile /dev/stdout -configfile ${configFile}"; Group = cfg.group; User = cfg.user; - PermissionsStartOnly = true; # preStart needs to run with root permissions }; - preStart = '' - ${coreutils}/bin/mkdir -p ${cfg.statedir} - ${coreutils}/bin/chown ${cfg.user}:${cfg.group} ${cfg.statedir} - ''; }; } From 9fc6955abc34f3454d4a991b8e729f4785ff2a96 Mon Sep 17 00:00:00 2001 From: Aaron Andersen Date: Sat, 23 Feb 2019 16:11:22 -0500 Subject: [PATCH 02/34] nixos/couchpotato: replace deprecated usage of PermissionsStartOnly see https://github.com/NixOS/nixpkgs/issues/53852 --- nixos/modules/services/misc/couchpotato.nix | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/nixos/modules/services/misc/couchpotato.nix b/nixos/modules/services/misc/couchpotato.nix index 70aa895f76d8..528af486b414 100644 --- a/nixos/modules/services/misc/couchpotato.nix +++ b/nixos/modules/services/misc/couchpotato.nix @@ -19,16 +19,11 @@ in after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - preStart = '' - mkdir -p /var/lib/couchpotato - chown -R couchpotato:couchpotato /var/lib/couchpotato - ''; - serviceConfig = { Type = "simple"; User = "couchpotato"; Group = "couchpotato"; - PermissionsStartOnly = "true"; + StateDirectory = "couchpotato"; ExecStart = "${pkgs.couchpotato}/bin/couchpotato"; Restart = "on-failure"; }; From a8defe81d1c7d0c078d4f531033ac7ebbd725878 Mon Sep 17 00:00:00 2001 From: Aaron Andersen Date: Sat, 23 Feb 2019 16:15:58 -0500 Subject: [PATCH 03/34] nixos/mopidy: replace deprecated usage of PermissionsStartOnly see https://github.com/NixOS/nixpkgs/issues/53852 --- nixos/modules/services/audio/mopidy.nix | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/nixos/modules/services/audio/mopidy.nix b/nixos/modules/services/audio/mopidy.nix index e2f4ec39f94c..a534b692f177 100644 --- a/nixos/modules/services/audio/mopidy.nix +++ b/nixos/modules/services/audio/mopidy.nix @@ -70,25 +70,25 @@ in { config = mkIf cfg.enable { + systemd.tmpfiles.rules = [ + "d '${cfg.dataDir}' - mopidy mopidy - -" + ]; + systemd.services.mopidy = { wantedBy = [ "multi-user.target" ]; after = [ "network.target" "sound.target" ]; description = "mopidy music player daemon"; - preStart = "mkdir -p ${cfg.dataDir} && chown -R mopidy:mopidy ${cfg.dataDir}"; serviceConfig = { ExecStart = "${mopidyEnv}/bin/mopidy --config ${concatStringsSep ":" ([mopidyConf] ++ cfg.extraConfigFiles)}"; User = "mopidy"; - PermissionsStartOnly = true; }; }; systemd.services.mopidy-scan = { description = "mopidy local files scanner"; - preStart = "mkdir -p ${cfg.dataDir} && chown -R mopidy:mopidy ${cfg.dataDir}"; serviceConfig = { ExecStart = "${mopidyEnv}/bin/mopidy --config ${concatStringsSep ":" ([mopidyConf] ++ cfg.extraConfigFiles)} local scan"; User = "mopidy"; - PermissionsStartOnly = true; Type = "oneshot"; }; }; @@ -98,7 +98,7 @@ in { group = "mopidy"; extraGroups = [ "audio" ]; description = "Mopidy daemon user"; - home = "${cfg.dataDir}"; + home = cfg.dataDir; }; users.groups.mopidy.gid = gid; From 73342be85bc28e8ab0e420554a3a5f0b83d164e5 Mon Sep 17 00:00:00 2001 From: Aaron Andersen Date: Sat, 23 Feb 2019 17:23:28 -0500 Subject: [PATCH 04/34] nixos/riemann-dash: replace deprecated usage of PermissionsStartOnly see https://github.com/NixOS/nixpkgs/issues/53852 --- nixos/modules/services/monitoring/riemann-dash.nix | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/nixos/modules/services/monitoring/riemann-dash.nix b/nixos/modules/services/monitoring/riemann-dash.nix index 7eb4d888b0cc..16eb83008509 100644 --- a/nixos/modules/services/monitoring/riemann-dash.nix +++ b/nixos/modules/services/monitoring/riemann-dash.nix @@ -59,18 +59,20 @@ in { group = "riemanndash"; }; + systemd.tmpfiles.rules = [ + "d '${cfg.dataDir}' - riemanndash riemanndash - -" + ]; + systemd.services.riemann-dash = { wantedBy = [ "multi-user.target" ]; wants = [ "riemann.service" ]; after = [ "riemann.service" ]; preStart = '' - mkdir -p ${cfg.dataDir}/config - chown -R riemanndash:riemanndash ${cfg.dataDir} + mkdir -p '${cfg.dataDir}/config' ''; serviceConfig = { User = "riemanndash"; ExecStart = "${launcher}/bin/riemann-dash"; - PermissionsStartOnly = true; }; }; From 191e4b075547c46449eaefd23b600d42e76d26e8 Mon Sep 17 00:00:00 2001 From: Aaron Andersen Date: Sat, 23 Feb 2019 17:45:28 -0500 Subject: [PATCH 05/34] nixos/heartbeat: replace deprecated usage of PermissionsStartOnly see https://github.com/NixOS/nixpkgs/issues/53852 --- nixos/modules/services/logging/heartbeat.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/nixos/modules/services/logging/heartbeat.nix b/nixos/modules/services/logging/heartbeat.nix index b595ac07bf5e..56fb4deabda5 100644 --- a/nixos/modules/services/logging/heartbeat.nix +++ b/nixos/modules/services/logging/heartbeat.nix @@ -54,16 +54,18 @@ in config = mkIf cfg.enable { + systemd.tmpfiles.rules = [ + "d '${cfg.stateDir}' - nobody nogroup - -" + ]; + systemd.services.heartbeat = with pkgs; { description = "heartbeat log shipper"; wantedBy = [ "multi-user.target" ]; preStart = '' mkdir -p "${cfg.stateDir}"/{data,logs} - chown nobody:nogroup "${cfg.stateDir}"/{data,logs} ''; serviceConfig = { User = "nobody"; - PermissionsStartOnly = true; AmbientCapabilities = "cap_net_raw"; ExecStart = "${pkgs.heartbeat}/bin/heartbeat -c \"${heartbeatYml}\" -path.data \"${cfg.stateDir}/data\" -path.logs \"${cfg.stateDir}/logs\""; }; From 74b34535fc576d40b432549f97ff720751b672f4 Mon Sep 17 00:00:00 2001 From: Aaron Andersen Date: Sat, 23 Feb 2019 18:00:03 -0500 Subject: [PATCH 06/34] nixos/gollum: replace deprecated usage of PermissionsStartOnly see https://github.com/NixOS/nixpkgs/issues/53852 --- nixos/modules/services/misc/gollum.nix | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/nixos/modules/services/misc/gollum.nix b/nixos/modules/services/misc/gollum.nix index d1823bc6d4df..7653b415bf09 100644 --- a/nixos/modules/services/misc/gollum.nix +++ b/nixos/modules/services/misc/gollum.nix @@ -75,27 +75,24 @@ in users.groups.gollum = { }; + systemd.tmpfiles.rules = [ + "d '${cfg.stateDir}' - ${config.users.users.gollum.name} ${config.users.groups.gollum.name} - -" + ]; + systemd.services.gollum = { description = "Gollum wiki"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; path = [ pkgs.git ]; - preStart = let - userName = config.users.users.gollum.name; - groupName = config.users.groups.gollum.name; - in '' - # All of this is safe to be run on an existing repo - mkdir -p ${cfg.stateDir} + preStart = '' + # This is safe to be run on an existing repo git init ${cfg.stateDir} - chmod 755 ${cfg.stateDir} - chown -R ${userName}:${groupName} ${cfg.stateDir} ''; serviceConfig = { User = config.users.users.gollum.name; Group = config.users.groups.gollum.name; - PermissionsStartOnly = true; ExecStart = '' ${pkgs.gollum}/bin/gollum \ --port ${toString cfg.port} \ From 93235b8a858cd673822fcf310962857059caf6b5 Mon Sep 17 00:00:00 2001 From: Aaron Andersen Date: Sun, 24 Feb 2019 07:17:37 -0500 Subject: [PATCH 07/34] nixos/minidlna: replace deprecated usage of PermissionsStartOnly see https://github.com/NixOS/nixpkgs/issues/53852 --- nixos/modules/services/networking/minidlna.nix | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/nixos/modules/services/networking/minidlna.nix b/nixos/modules/services/networking/minidlna.nix index 1858f03cac1f..ed0c1044a570 100644 --- a/nixos/modules/services/networking/minidlna.nix +++ b/nixos/modules/services/networking/minidlna.nix @@ -98,16 +98,10 @@ in wantedBy = [ "multi-user.target" ]; after = [ "network.target" "local-fs.target" ]; - preStart = - '' - mkdir -p /var/cache/minidlna - chown -R minidlna:minidlna /var/cache/minidlna - ''; - serviceConfig = { User = "minidlna"; Group = "minidlna"; - PermissionsStartOnly = true; + CacheDirectory = "minidlna"; RuntimeDirectory = "minidlna"; PIDFile = "/run/minidlna/pid"; ExecStart = From c7481e6340a4eb771d2cc0a057ef4676a377486e Mon Sep 17 00:00:00 2001 From: Aaron Andersen Date: Sun, 24 Feb 2019 07:23:11 -0500 Subject: [PATCH 08/34] nixos/hbase: replace deprecated usage of PermissionsStartOnly see https://github.com/NixOS/nixpkgs/issues/53852 --- nixos/modules/services/databases/hbase.nix | 17 +++++------------ 1 file changed, 5 insertions(+), 12 deletions(-) diff --git a/nixos/modules/services/databases/hbase.nix b/nixos/modules/services/databases/hbase.nix index 52f2d95b4e00..589c8cf5ec80 100644 --- a/nixos/modules/services/databases/hbase.nix +++ b/nixos/modules/services/databases/hbase.nix @@ -94,6 +94,11 @@ in { config = mkIf config.services.hbase.enable { + systemd.tmpfiles.rules = [ + "d '${cfg.dataDir}' - ${cfg.user} ${cfg.group} - -" + "d '${cfg.logDir}' - ${cfg.user} ${cfg.group} - -" + ]; + systemd.services.hbase = { description = "HBase Server"; wantedBy = [ "multi-user.target" ]; @@ -103,19 +108,7 @@ in { HBASE_LOG_DIR = cfg.logDir; }; - preStart = - '' - mkdir -p ${cfg.dataDir}; - mkdir -p ${cfg.logDir}; - - if [ "$(id -u)" = 0 ]; then - chown ${cfg.user}:${cfg.group} ${cfg.dataDir} - chown ${cfg.user}:${cfg.group} ${cfg.logDir} - fi - ''; - serviceConfig = { - PermissionsStartOnly = true; User = cfg.user; Group = cfg.group; ExecStart = "${cfg.package}/bin/hbase --config ${configDir} master start"; From 4a4d3a2e047ab744eb35c4440e42fa42ce6a3303 Mon Sep 17 00:00:00 2001 From: Aaron Andersen Date: Sun, 24 Feb 2019 07:39:53 -0500 Subject: [PATCH 09/34] nixos/zeronet: replace deprecated usage of PermissionsStartOnly see https://github.com/NixOS/nixpkgs/issues/53852 --- nixos/modules/services/networking/zeronet.nix | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/nixos/modules/services/networking/zeronet.nix b/nixos/modules/services/networking/zeronet.nix index 611a51c74ce2..f4988a902685 100644 --- a/nixos/modules/services/networking/zeronet.nix +++ b/nixos/modules/services/networking/zeronet.nix @@ -86,20 +86,17 @@ in with lib; { ''; }; + systemd.tmpfiles.rules = [ + "d '${cfg.dataDir}' 750 zeronet zeronet - -" + "d '${cfg.logDir}' 750 zeronet zeronet - -" + ]; + systemd.services.zeronet = { description = "zeronet"; after = [ "network.target" (optionalString cfg.tor "tor.service") ]; wantedBy = [ "multi-user.target" ]; - preStart = '' - # Ensure folder exists or create it and permissions are correct - mkdir -p ${escapeShellArg cfg.dataDir} ${escapeShellArg cfg.logDir} - chmod 750 ${escapeShellArg cfg.dataDir} ${escapeShellArg cfg.logDir} - chown zeronet:zeronet ${escapeShellArg cfg.dataDir} ${escapeShellArg cfg.logDir} - ''; - serviceConfig = { - PermissionsStartOnly = true; PrivateTmp = "yes"; User = "zeronet"; Group = "zeronet"; From 0b7305e7830683300fdc9bd3e83000bc9fa2a27b Mon Sep 17 00:00:00 2001 From: Aaron Andersen Date: Sun, 24 Feb 2019 07:57:19 -0500 Subject: [PATCH 10/34] nixos/unifi: replace deprecated usage of PermissionsStartOnly see https://github.com/NixOS/nixpkgs/issues/53852 --- nixos/modules/services/networking/unifi.nix | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/nixos/modules/services/networking/unifi.nix b/nixos/modules/services/networking/unifi.nix index c82e0af2803d..9057a1e12b33 100644 --- a/nixos/modules/services/networking/unifi.nix +++ b/nixos/modules/services/networking/unifi.nix @@ -146,6 +146,11 @@ in where = where; }) mountPoints; + systemd.tmpfiles.rules = [ + "e '${stateDir}' 0700 unifi - - -" + "e '${stateDir}/data' 0700 unifi - - -" + ]; + systemd.services.unifi = { description = "UniFi controller daemon"; wantedBy = [ "multi-user.target" ]; @@ -157,14 +162,9 @@ in environment.LD_LIBRARY_PATH = with pkgs.stdenv; "${cc.cc.lib}/lib"; preStart = '' - # Ensure privacy of state and data. - chown unifi "${stateDir}" "${stateDir}/data" - chmod 0700 "${stateDir}" "${stateDir}/data" - # Create the volatile webapps rm -rf "${stateDir}/webapps" mkdir -p "${stateDir}/webapps" - chown unifi "${stateDir}/webapps" ln -s "${cfg.unifiPackage}/webapps/ROOT" "${stateDir}/webapps/ROOT" ''; @@ -177,7 +177,6 @@ in ExecStart = "${(removeSuffix "\n" cmd)} start"; ExecStop = "${(removeSuffix "\n" cmd)} stop"; User = "unifi"; - PermissionsStartOnly = true; UMask = "0077"; WorkingDirectory = "${stateDir}"; }; From dd9598cf5489303f5d02adb00669bc75c179cef3 Mon Sep 17 00:00:00 2001 From: Aaron Andersen Date: Sun, 24 Feb 2019 08:16:35 -0500 Subject: [PATCH 11/34] nixos/teamspeak3: replace deprecated usage of PermissionsStartOnly see https://github.com/NixOS/nixpkgs/issues/53852 --- nixos/modules/services/networking/teamspeak3.nix | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/nixos/modules/services/networking/teamspeak3.nix b/nixos/modules/services/networking/teamspeak3.nix index 9ea9c83e37cd..fadb32dcd777 100644 --- a/nixos/modules/services/networking/teamspeak3.nix +++ b/nixos/modules/services/networking/teamspeak3.nix @@ -111,16 +111,15 @@ in gid = config.ids.gids.teamspeak; }; + systemd.tmpfiles.rules = [ + "d '${cfg.logPath}' - ${user} ${group} - -" + ]; + systemd.services.teamspeak3-server = { description = "Teamspeak3 voice communication server daemon"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - preStart = '' - mkdir -p ${cfg.logPath} - chown ${user}:${group} ${cfg.logPath} - ''; - serviceConfig = { ExecStart = '' ${ts3}/bin/ts3server \ @@ -135,7 +134,6 @@ in WorkingDirectory = cfg.dataDir; User = user; Group = group; - PermissionsStartOnly = true; }; }; }; From 307a99bb01ed30f5a3c690c0b1f5fc3204d269ce Mon Sep 17 00:00:00 2001 From: Aaron Andersen Date: Sun, 24 Feb 2019 08:26:36 -0500 Subject: [PATCH 12/34] nixos/squid: replace deprecated usage of PermissionsStartOnly see https://github.com/NixOS/nixpkgs/issues/53852 --- nixos/modules/services/networking/squid.nix | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/nixos/modules/services/networking/squid.nix b/nixos/modules/services/networking/squid.nix index b220c21b604f..9d063b92aa1e 100644 --- a/nixos/modules/services/networking/squid.nix +++ b/nixos/modules/services/networking/squid.nix @@ -159,11 +159,10 @@ in serviceConfig = { Type="forking"; PIDFile="/run/squid.pid"; - PermissionsStartOnly = true; ExecStart = "${pkgs.squid}/bin/squid -YCs -f ${squidConfig}"; }; }; }; -} \ No newline at end of file +} From d33c64eec862abe88fd4fdce6177c48d6f195bf8 Mon Sep 17 00:00:00 2001 From: Aaron Andersen Date: Sun, 24 Feb 2019 08:34:02 -0500 Subject: [PATCH 13/34] nixos/slimserver: replace deprecated usage of PermissionsStartOnly see https://github.com/NixOS/nixpkgs/issues/53852 --- nixos/modules/services/audio/slimserver.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/nixos/modules/services/audio/slimserver.nix b/nixos/modules/services/audio/slimserver.nix index 640403d2c97d..8f94a2b49404 100644 --- a/nixos/modules/services/audio/slimserver.nix +++ b/nixos/modules/services/audio/slimserver.nix @@ -42,15 +42,17 @@ in { config = mkIf cfg.enable { + systemd.tmpfiles.rules = [ + "d '${cfg.dataDir}' - slimserver slimserver - -" + ]; + systemd.services.slimserver = { after = [ "network.target" ]; description = "Slim Server for Logitech Squeezebox Players"; wantedBy = [ "multi-user.target" ]; - preStart = "mkdir -p ${cfg.dataDir} && chown -R slimserver:slimserver ${cfg.dataDir}"; serviceConfig = { User = "slimserver"; - PermissionsStartOnly = true; # Issue 40589: Disable broken image/video support (audio still works!) ExecStart = "${cfg.package}/slimserver.pl --logdir ${cfg.dataDir}/logs --prefsdir ${cfg.dataDir}/prefs --cachedir ${cfg.dataDir}/cache --noimage --novideo"; }; From cdcc50484812443b38f8dd23b7aa429b6da41b6a Mon Sep 17 00:00:00 2001 From: Aaron Andersen Date: Sun, 24 Feb 2019 08:34:52 -0500 Subject: [PATCH 14/34] nixos/scollector: replace deprecated usage of PermissionsStartOnly see https://github.com/NixOS/nixpkgs/issues/53852 --- nixos/modules/services/monitoring/scollector.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/nixos/modules/services/monitoring/scollector.nix b/nixos/modules/services/monitoring/scollector.nix index fbded746a5f7..dc0899c7e684 100644 --- a/nixos/modules/services/monitoring/scollector.nix +++ b/nixos/modules/services/monitoring/scollector.nix @@ -116,7 +116,6 @@ in { path = [ pkgs.coreutils pkgs.iproute ]; serviceConfig = { - PermissionsStartOnly = true; User = cfg.user; Group = cfg.group; ExecStart = "${cfg.package.bin}/bin/scollector -conf=${conf} ${lib.concatStringsSep " " cfg.extraOpts}"; From 780ff9a4eb9c4017e65b3d847224d5fcc1997ddc Mon Sep 17 00:00:00 2001 From: Aaron Andersen Date: Sun, 24 Feb 2019 08:38:32 -0500 Subject: [PATCH 15/34] nixos/riemann-tools: replace deprecated usage of PermissionsStartOnly see https://github.com/NixOS/nixpkgs/issues/53852 --- nixos/modules/services/monitoring/riemann-tools.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/nixos/modules/services/monitoring/riemann-tools.nix b/nixos/modules/services/monitoring/riemann-tools.nix index 4e8832dadc5e..9c400a1e3e46 100644 --- a/nixos/modules/services/monitoring/riemann-tools.nix +++ b/nixos/modules/services/monitoring/riemann-tools.nix @@ -54,7 +54,6 @@ in { serviceConfig = { User = "riemanntools"; ExecStart = "${healthLauncher}/bin/riemann-health"; - PermissionsStartOnly = true; }; }; From 46a5db08105f98cef5464dfb4f3318555958689e Mon Sep 17 00:00:00 2001 From: Aaron Andersen Date: Sun, 24 Feb 2019 08:56:36 -0500 Subject: [PATCH 16/34] nixos/quassel: replace deprecated usage of PermissionsStartOnly see https://github.com/NixOS/nixpkgs/issues/53852 --- nixos/modules/services/networking/quassel.nix | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/nixos/modules/services/networking/quassel.nix b/nixos/modules/services/networking/quassel.nix index b223a48e0550..b495b3948fb5 100644 --- a/nixos/modules/services/networking/quassel.nix +++ b/nixos/modules/services/networking/quassel.nix @@ -104,6 +104,10 @@ in gid = config.ids.gids.quassel; }]; + systemd.tmpfiles.rules = [ + "d '${cfg.dataDir}' - ${user} - - -" + ]; + systemd.services.quassel = { description = "Quassel IRC client daemon"; @@ -111,11 +115,6 @@ in after = [ "network.target" ] ++ optional config.services.postgresql.enable "postgresql.service" ++ optional config.services.mysql.enable "mysql.service"; - preStart = '' - mkdir -p ${cfg.dataDir} - chown ${user} ${cfg.dataDir} - ''; - serviceConfig = { ExecStart = concatStringsSep " " ([ @@ -126,7 +125,6 @@ in ] ++ optional cfg.requireSSL "--require-ssl" ++ optional (cfg.certificateFile != null) "--ssl-cert=${cfg.certificateFile}"); User = user; - PermissionsStartOnly = true; }; }; From ff2fdc294eddaf4b75066b32e5a07978345b4e88 Mon Sep 17 00:00:00 2001 From: Aaron Andersen Date: Sun, 24 Feb 2019 12:39:56 -0500 Subject: [PATCH 17/34] nixos/kapacitor: replace deprecated usage of PermissionsStartOnly see https://github.com/NixOS/nixpkgs/issues/53852 --- nixos/modules/services/monitoring/kapacitor.nix | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/nixos/modules/services/monitoring/kapacitor.nix b/nixos/modules/services/monitoring/kapacitor.nix index a4bdfa8f8053..9966ffd500e8 100644 --- a/nixos/modules/services/monitoring/kapacitor.nix +++ b/nixos/modules/services/monitoring/kapacitor.nix @@ -163,6 +163,10 @@ in config = mkIf cfg.enable { environment.systemPackages = [ pkgs.kapacitor ]; + systemd.tmpfiles.rules = [ + "d '${cfg.dataDir}' - ${cfg.user} ${cfg.group} - -" + ]; + systemd.services.kapacitor = { description = "Kapacitor Real-Time Stream Processing Engine"; wantedBy = [ "multi-user.target" ]; @@ -171,12 +175,7 @@ in ExecStart = "${pkgs.kapacitor}/bin/kapacitord -config ${kapacitorConf}"; User = "kapacitor"; Group = "kapacitor"; - PermissionsStartOnly = true; }; - preStart = '' - mkdir -p ${cfg.dataDir} - chown ${cfg.user}:${cfg.group} ${cfg.dataDir} - ''; }; users.users.kapacitor = { From 2c350782ba394eb8b50586781d3fa28abc930db3 Mon Sep 17 00:00:00 2001 From: Aaron Andersen Date: Sun, 24 Feb 2019 12:52:36 -0500 Subject: [PATCH 18/34] nixos/alerta: replace deprecated usage of PermissionsStartOnly see https://github.com/NixOS/nixpkgs/issues/53852 --- nixos/modules/services/monitoring/alerta.nix | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/nixos/modules/services/monitoring/alerta.nix b/nixos/modules/services/monitoring/alerta.nix index 8f4258e26ded..2a6afac119e1 100644 --- a/nixos/modules/services/monitoring/alerta.nix +++ b/nixos/modules/services/monitoring/alerta.nix @@ -83,6 +83,10 @@ in }; config = mkIf cfg.enable { + systemd.tmpfiles.rules = [ + "d '${cfg.logDir}' - alerta alerta - -" + ]; + systemd.services.alerta = { description = "Alerta Monitoring System"; wantedBy = [ "multi-user.target" ]; @@ -94,12 +98,7 @@ in ExecStart = "${pkgs.python36Packages.alerta-server}/bin/alertad run --port ${toString cfg.port} --host ${cfg.bind}"; User = "alerta"; Group = "alerta"; - PermissionsStartOnly = true; }; - preStart = '' - mkdir -p ${cfg.logDir} - chown alerta:alerta ${cfg.logDir} - ''; }; environment.systemPackages = [ pkgs.python36Packages.alerta ]; From b6bfb874ecb52d7d3cadcd8c22edc3303ebd5a13 Mon Sep 17 00:00:00 2001 From: Aaron Andersen Date: Sun, 24 Feb 2019 12:56:12 -0500 Subject: [PATCH 19/34] nixos/apache-kafka: replace deprecated usage of PermissionsStartOnly see https://github.com/NixOS/nixpkgs/issues/53852 --- nixos/modules/services/misc/apache-kafka.nix | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/nixos/modules/services/misc/apache-kafka.nix b/nixos/modules/services/misc/apache-kafka.nix index 363ac4411e11..9eeae9556992 100644 --- a/nixos/modules/services/misc/apache-kafka.nix +++ b/nixos/modules/services/misc/apache-kafka.nix @@ -131,6 +131,8 @@ in { home = head cfg.logDirs; }; + systemd.tmpfiles.rules = map (logDir: "d '${logDir} 0700 apache-kafka - - -") cfg.logDirs; + systemd.services.apache-kafka = { description = "Apache Kafka Daemon"; wantedBy = [ "multi-user.target" ]; @@ -145,15 +147,8 @@ in { ${serverConfig} ''; User = "apache-kafka"; - PermissionsStartOnly = true; SuccessExitStatus = "0 143"; }; - preStart = '' - mkdir -m 0700 -p ${concatStringsSep " " cfg.logDirs} - if [ "$(id -u)" = 0 ]; then - chown apache-kafka ${concatStringsSep " " cfg.logDirs}; - fi - ''; }; }; From e85d03e52b05b4aae4c95f1941ea6e1880be55e4 Mon Sep 17 00:00:00 2001 From: Aaron Andersen Date: Sun, 24 Feb 2019 13:02:10 -0500 Subject: [PATCH 20/34] nixos/aria2: replace deprecated usage of PermissionsStartOnly see https://github.com/NixOS/nixpkgs/issues/53852 --- nixos/modules/services/networking/aria2.nix | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/nixos/modules/services/networking/aria2.nix b/nixos/modules/services/networking/aria2.nix index 98eb00861016..53829bf18863 100644 --- a/nixos/modules/services/networking/aria2.nix +++ b/nixos/modules/services/networking/aria2.nix @@ -102,22 +102,19 @@ in users.groups.aria2.gid = config.ids.gids.aria2; + systemd.tmpfiles.rules = [ + "d '${homeDir}' 0770 aria2 aria2 - -" + "d '${config.services.aria2.downloadDir}' 0770 aria2 aria2 - -" + ]; + systemd.services.aria2 = { description = "aria2 Service"; after = [ "local-fs.target" "network.target" ]; wantedBy = [ "multi-user.target" ]; preStart = '' - mkdir -m 0770 -p "${homeDir}" - chown aria2:aria2 "${homeDir}" - if [[ ! -d "${config.services.aria2.downloadDir}" ]] - then - mkdir -m 0770 -p "${config.services.aria2.downloadDir}" - chown aria2:aria2 "${config.services.aria2.downloadDir}" - fi if [[ ! -e "${sessionFile}" ]] then touch "${sessionFile}" - chown aria2:aria2 "${sessionFile}" fi cp -f "${settingsFile}" "${settingsDir}/aria2.conf" ''; @@ -128,7 +125,6 @@ in ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; User = "aria2"; Group = "aria2"; - PermissionsStartOnly = true; }; }; }; From e734494a5971564bb7169afe43634da8493e32ee Mon Sep 17 00:00:00 2001 From: Aaron Andersen Date: Sun, 24 Feb 2019 13:04:19 -0500 Subject: [PATCH 21/34] nixos/autossh: replace deprecated usage of PermissionsStartOnly see https://github.com/NixOS/nixpkgs/issues/53852 --- nixos/modules/services/networking/autossh.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/nixos/modules/services/networking/autossh.nix b/nixos/modules/services/networking/autossh.nix index 9ea17469870d..a098a155e991 100644 --- a/nixos/modules/services/networking/autossh.nix +++ b/nixos/modules/services/networking/autossh.nix @@ -99,7 +99,6 @@ in serviceConfig = { User = "${s.user}"; - PermissionsStartOnly = true; # AutoSSH may exit with 0 code if the SSH session was # gracefully terminated by either local or remote side. Restart = "on-success"; From 8ac5973610e39ff3bd1d8a94a375c036ac7eef8a Mon Sep 17 00:00:00 2001 From: Aaron Andersen Date: Sun, 24 Feb 2019 13:05:44 -0500 Subject: [PATCH 22/34] nixos/boinc: replace deprecated usage of PermissionsStartOnly see https://github.com/NixOS/nixpkgs/issues/53852 --- nixos/modules/services/computing/boinc/client.nix | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/nixos/modules/services/computing/boinc/client.nix b/nixos/modules/services/computing/boinc/client.nix index 8abe3c5b8c9b..7022751b3f01 100644 --- a/nixos/modules/services/computing/boinc/client.nix +++ b/nixos/modules/services/computing/boinc/client.nix @@ -105,19 +105,18 @@ in isSystemUser = true; }; + systemd.tmpfiles.rules = [ + "d '${cfg.dataDir}' - boinc - - -" + ]; + systemd.services.boinc = { description = "BOINC Client"; after = ["network.target" "local-fs.target"]; wantedBy = ["multi-user.target"]; - preStart = '' - mkdir -p ${cfg.dataDir} - chown boinc ${cfg.dataDir} - ''; script = '' ${fhsEnvExecutable} --dir ${cfg.dataDir} --redirectio ${allowRemoteGuiRpcFlag} ''; serviceConfig = { - PermissionsStartOnly = true; # preStart must be run as root User = "boinc"; Nice = 10; }; From 99f74c268bf17523d22b92e12f7488eaf2feb3be Mon Sep 17 00:00:00 2001 From: Aaron Andersen Date: Sun, 24 Feb 2019 15:30:57 -0500 Subject: [PATCH 23/34] nixos/confluence: replace deprecated usage of PermissionsStartOnly see https://github.com/NixOS/nixpkgs/issues/53852 --- .../services/web-apps/atlassian/confluence.nix | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/nixos/modules/services/web-apps/atlassian/confluence.nix b/nixos/modules/services/web-apps/atlassian/confluence.nix index 15744d90cc79..cf163271d276 100644 --- a/nixos/modules/services/web-apps/atlassian/confluence.nix +++ b/nixos/modules/services/web-apps/atlassian/confluence.nix @@ -149,6 +149,17 @@ in users.groups."${cfg.group}" = {}; + systemd.tmpfiles.rules = [ + "d '${cfg.home}' - ${cfg.user} - - -" + "d /run/confluence - - - - -" + + "L+ /run/confluence/home - - - - ${cfg.home}" + "L+ /run/confluence/logs - - - - ${cfg.home}/logs" + "L+ /run/confluence/temp - - - - ${cfg.home}/temp" + "L+ /run/confluence/work - - - - ${cfg.home}/work" + "L+ /run/confluence/server.xml - - - - ${cfg.home}/server.xml" + ]; + systemd.services.confluence = { description = "Atlassian Confluence"; @@ -167,12 +178,6 @@ in preStart = '' mkdir -p ${cfg.home}/{logs,work,temp,deploy} - mkdir -p /run/confluence - ln -sf ${cfg.home}/{logs,work,temp,server.xml} /run/confluence - ln -sf ${cfg.home} /run/confluence/home - - chown ${cfg.user} ${cfg.home} - sed -e 's,port="8090",port="${toString cfg.listenPort}" address="${cfg.listenAddress}",' \ '' + (lib.optionalString cfg.proxy.enable '' -e 's,protocol="org.apache.coyote.http11.Http11NioProtocol",protocol="org.apache.coyote.http11.Http11NioProtocol" proxyName="${cfg.proxy.name}" proxyPort="${toString cfg.proxy.port}" scheme="${cfg.proxy.scheme}",' \ @@ -184,7 +189,6 @@ in User = cfg.user; Group = cfg.group; PrivateTmp = true; - PermissionsStartOnly = true; ExecStart = "${pkg}/bin/start-confluence.sh -fg"; ExecStop = "${pkg}/bin/stop-confluence.sh"; }; From 204be045312a1167d81fee023d3b817c762cbd74 Mon Sep 17 00:00:00 2001 From: Aaron Andersen Date: Sun, 24 Feb 2019 15:35:59 -0500 Subject: [PATCH 24/34] nixos/crowd: replace deprecated usage of PermissionsStartOnly see https://github.com/NixOS/nixpkgs/issues/53852 --- .../services/web-apps/atlassian/crowd.nix | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/nixos/modules/services/web-apps/atlassian/crowd.nix b/nixos/modules/services/web-apps/atlassian/crowd.nix index c144b21bdaf2..020ca8d89dbb 100644 --- a/nixos/modules/services/web-apps/atlassian/crowd.nix +++ b/nixos/modules/services/web-apps/atlassian/crowd.nix @@ -117,6 +117,16 @@ in users.groups."${cfg.group}" = {}; + systemd.tmpfiles.rules = [ + "d '${cfg.home}' - ${cfg.user} ${cfg.group} - -" + "d /run/atlassian-crowd - - - - -" + + "L+ /run/atlassian-crowd/database - - - - ${cfg.home}/database" + "L+ /run/atlassian-crowd/logs - - - - ${cfg.home}/logs" + "L+ /run/atlassian-crowd/work - - - - ${cfg.home}/work" + "L+ /run/atlassian-crowd/server.xml - - - - ${cfg.home}/server.xml" + ]; + systemd.services.atlassian-crowd = { description = "Atlassian Crowd"; @@ -136,12 +146,6 @@ in rm -rf ${cfg.home}/work mkdir -p ${cfg.home}/{logs,database,work} - mkdir -p /run/atlassian-crowd - ln -sf ${cfg.home}/{database,logs,work,server.xml} /run/atlassian-crowd - - chown ${cfg.user}:${cfg.group} ${cfg.home} - chown ${cfg.user}:${cfg.group} ${cfg.home}/{logs,database,work} - sed -e 's,port="8095",port="${toString cfg.listenPort}" address="${cfg.listenAddress}",' \ '' + (lib.optionalString cfg.proxy.enable '' -e 's,compression="on",compression="off" protocol="HTTP/1.1" proxyName="${cfg.proxy.name}" proxyPort="${toString cfg.proxy.port}" scheme="${cfg.proxy.scheme}" secure="${boolToString cfg.proxy.secure}",' \ @@ -153,7 +157,6 @@ in User = cfg.user; Group = cfg.group; PrivateTmp = true; - PermissionsStartOnly = true; ExecStart = "${pkg}/start_crowd.sh -fg"; }; }; From 4775c595282ac0531ced5884f4485a1ae834446f Mon Sep 17 00:00:00 2001 From: Aaron Andersen Date: Sun, 24 Feb 2019 16:01:23 -0500 Subject: [PATCH 25/34] nixos/dspam: replace deprecated usage of PermissionsStartOnly see https://github.com/NixOS/nixpkgs/issues/53852 --- nixos/modules/services/mail/dspam.nix | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/nixos/modules/services/mail/dspam.nix b/nixos/modules/services/mail/dspam.nix index 167b5aeccc84..72b8c4c08b92 100644 --- a/nixos/modules/services/mail/dspam.nix +++ b/nixos/modules/services/mail/dspam.nix @@ -113,19 +113,14 @@ in { Group = cfg.group; RuntimeDirectory = optional (cfg.domainSocket == defaultSock) "dspam"; RuntimeDirectoryMode = optional (cfg.domainSocket == defaultSock) "0750"; - PermissionsStartOnly = true; + StateDirectory = "dspam"; + StateDirectoryMode = "0750"; + LogsDirectory = "dspam"; + LogsDirectoryMode = "0750"; # DSPAM segfaults on just about every error Restart = "on-abort"; RestartSec = "1s"; }; - - preStart = '' - mkdir -m750 -p /var/lib/dspam - chown -R "${cfg.user}:${cfg.group}" /var/lib/dspam - - mkdir -m750 -p /var/log/dspam - chown -R "${cfg.user}:${cfg.group}" /var/log/dspam - ''; }; } From 8034dac42fe97afe17f64d77d2b606b09384ddb3 Mon Sep 17 00:00:00 2001 From: Aaron Andersen Date: Sun, 24 Feb 2019 16:10:08 -0500 Subject: [PATCH 26/34] nixos/firebird: replace deprecated usage of PermissionsStartOnly see https://github.com/NixOS/nixpkgs/issues/53852 --- nixos/modules/services/databases/firebird.nix | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/nixos/modules/services/databases/firebird.nix b/nixos/modules/services/databases/firebird.nix index cc81b440450b..042c9841df54 100644 --- a/nixos/modules/services/databases/firebird.nix +++ b/nixos/modules/services/databases/firebird.nix @@ -95,6 +95,11 @@ in environment.systemPackages = [cfg.package]; + systemd.tmpfiles.rules = [ + "d '${dataDir}' 0700 ${cfg.user} - - -" + "d '${systemDir}' 0700 ${cfg.user} - - -" + ]; + systemd.services.firebird = { description = "Firebird Super-Server"; @@ -104,21 +109,16 @@ in # is a better way preStart = '' - mkdir -m 0700 -p \ - "${dataDir}" \ - "${systemDir}" \ - /var/log/firebird - if ! test -e "${systemDir}/security2.fdb"; then cp ${firebird}/security2.fdb "${systemDir}" fi - chown -R ${cfg.user} "${dataDir}" "${systemDir}" /var/log/firebird chmod -R 700 "${dataDir}" "${systemDir}" /var/log/firebird ''; - serviceConfig.PermissionsStartOnly = true; # preStart must be run as root serviceConfig.User = cfg.user; + serviceConfig.LogsDirectory = "firebird"; + serviceConfig.LogsDirectoryMode = "0700"; serviceConfig.ExecStart = ''${firebird}/bin/fbserver -d''; # TODO think about shutdown From 65f449fe333ae24d9ea39928be8d28694a52c106 Mon Sep 17 00:00:00 2001 From: Aaron Andersen Date: Sun, 24 Feb 2019 16:23:57 -0500 Subject: [PATCH 27/34] nixos/graylog: replace deprecated usage of PermissionsStartOnly see https://github.com/NixOS/nixpkgs/issues/53852 --- nixos/modules/services/logging/graylog.nix | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/nixos/modules/services/logging/graylog.nix b/nixos/modules/services/logging/graylog.nix index 74a7b3c9b470..ee5668254981 100644 --- a/nixos/modules/services/logging/graylog.nix +++ b/nixos/modules/services/logging/graylog.nix @@ -134,6 +134,10 @@ in }; }; + systemd.tmpfiles.rules = [ + "d '${cfg.messageJournalDir}' - ${cfg.user} - - -" + ]; + systemd.services.graylog = with pkgs; { description = "Graylog Server"; wantedBy = [ "multi-user.target" ]; @@ -143,8 +147,6 @@ in }; path = [ pkgs.jre_headless pkgs.which pkgs.procps ]; preStart = '' - mkdir -p /var/lib/graylog -m 755 - rm -rf /var/lib/graylog/plugins || true mkdir -p /var/lib/graylog/plugins -m 755 @@ -154,14 +156,10 @@ in for includedplugin in `ls ${cfg.package}/plugin/`; do ln -s ${cfg.package}/plugin/$includedplugin /var/lib/graylog/plugins/$includedplugin || true done - chown -R ${cfg.user} /var/lib/graylog - - mkdir -p ${cfg.messageJournalDir} -m 755 - chown -R ${cfg.user} ${cfg.messageJournalDir} ''; serviceConfig = { User="${cfg.user}"; - PermissionsStartOnly=true; + StateDirectory = "graylog"; ExecStart = "${cfg.package}/bin/graylogctl run"; }; }; From 114bd801f478a6cd75ba3909fd31b04086296757 Mon Sep 17 00:00:00 2001 From: Aaron Andersen Date: Sun, 24 Feb 2019 16:29:33 -0500 Subject: [PATCH 28/34] nixos/jira: replace deprecated usage of PermissionsStartOnly see https://github.com/NixOS/nixpkgs/issues/53852 --- .../services/web-apps/atlassian/jira.nix | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/nixos/modules/services/web-apps/atlassian/jira.nix b/nixos/modules/services/web-apps/atlassian/jira.nix index 0b3a5722d6c8..b0019e77ac27 100644 --- a/nixos/modules/services/web-apps/atlassian/jira.nix +++ b/nixos/modules/services/web-apps/atlassian/jira.nix @@ -155,6 +155,17 @@ in users.groups."${cfg.group}" = {}; + systemd.tmpfiles.rules = [ + "d '${cfg.home}' - ${cfg.user} - - -" + "d /run/atlassian-jira - - - - -" + + "L+ /run/atlassian-jira/home - - - - ${cfg.home}" + "L+ /run/atlassian-jira/logs - - - - ${cfg.home}/logs" + "L+ /run/atlassian-jira/work - - - - ${cfg.home}/work" + "L+ /run/atlassian-jira/temp - - - - ${cfg.home}/temp" + "L+ /run/atlassian-jira/server.xml - - - - ${cfg.home}/server.xml" + ]; + systemd.services.atlassian-jira = { description = "Atlassian JIRA"; @@ -174,12 +185,6 @@ in preStart = '' mkdir -p ${cfg.home}/{logs,work,temp,deploy} - mkdir -p /run/atlassian-jira - ln -sf ${cfg.home}/{logs,work,temp,server.xml} /run/atlassian-jira - ln -sf ${cfg.home} /run/atlassian-jira/home - - chown ${cfg.user} ${cfg.home} - sed -e 's,port="8080",port="${toString cfg.listenPort}" address="${cfg.listenAddress}",' \ '' + (lib.optionalString cfg.proxy.enable '' -e 's,protocol="HTTP/1.1",protocol="HTTP/1.1" proxyName="${cfg.proxy.name}" proxyPort="${toString cfg.proxy.port}" scheme="${cfg.proxy.scheme}" secure="${toString cfg.proxy.secure}",' \ @@ -191,7 +196,6 @@ in User = cfg.user; Group = cfg.group; PrivateTmp = true; - PermissionsStartOnly = true; ExecStart = "${pkg}/bin/start-jira.sh -fg"; ExecStop = "${pkg}/bin/stop-jira.sh"; }; From fbe59432379249bc94e6bf7bafd925f4299596db Mon Sep 17 00:00:00 2001 From: Aaron Andersen Date: Sun, 24 Feb 2019 09:06:38 -0500 Subject: [PATCH 29/34] nixos/opendkim: replace deprecated usage of PermissionsStartOnly see https://github.com/NixOS/nixpkgs/issues/53852 --- nixos/modules/services/mail/opendkim.nix | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/nixos/modules/services/mail/opendkim.nix b/nixos/modules/services/mail/opendkim.nix index 7855efb46c73..253823cbaf9c 100644 --- a/nixos/modules/services/mail/opendkim.nix +++ b/nixos/modules/services/mail/opendkim.nix @@ -101,13 +101,16 @@ in { environment.systemPackages = [ pkgs.opendkim ]; + systemd.tmpfiles.rules = [ + "d '${cfg.keyPath}' - ${cfg.user} ${cfg.group} - -" + ]; + systemd.services.opendkim = { description = "OpenDKIM signing and verification daemon"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; preStart = '' - mkdir -p "${cfg.keyPath}" cd "${cfg.keyPath}" if ! test -f ${cfg.selector}.private; then ${pkgs.opendkim}/bin/opendkim-genkey -s ${cfg.selector} -d all-domains-generic-key @@ -116,7 +119,6 @@ in { cat ${cfg.selector}.txt echo "-------------------------------------------------------------" fi - chown ${cfg.user}:${cfg.group} ${cfg.selector}.private ''; serviceConfig = { @@ -124,7 +126,6 @@ in { User = cfg.user; Group = cfg.group; RuntimeDirectory = optional (cfg.socket == defaultSock) "opendkim"; - PermissionsStartOnly = true; }; }; From 12dec599058036f88f72ec553ee33a3df1f91c49 Mon Sep 17 00:00:00 2001 From: Aaron Andersen Date: Sun, 24 Feb 2019 09:08:21 -0500 Subject: [PATCH 30/34] nixos/octoprint: replace deprecated usage of PermissionsStartOnly see https://github.com/NixOS/nixpkgs/issues/53852 --- nixos/modules/services/misc/octoprint.nix | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/nixos/modules/services/misc/octoprint.nix b/nixos/modules/services/misc/octoprint.nix index baa7c3ade52e..2e17f671a512 100644 --- a/nixos/modules/services/misc/octoprint.nix +++ b/nixos/modules/services/misc/octoprint.nix @@ -97,6 +97,10 @@ in gid = config.ids.gids.octoprint; }); + systemd.tmpfiles.rules = [ + "d '${cfg.stateDir}' - ${cfg.user} ${cfg.group} - -" + ]; + systemd.services.octoprint = { description = "OctoPrint, web interface for 3D printers"; wantedBy = [ "multi-user.target" ]; @@ -105,7 +109,6 @@ in environment.PYTHONPATH = makeSearchPathOutput "lib" pkgs.python.sitePackages [ pluginsEnv ]; preStart = '' - mkdir -p "${cfg.stateDir}" if [ -e "${cfg.stateDir}/config.yaml" ]; then ${pkgs.yaml-merge}/bin/yaml-merge "${cfg.stateDir}/config.yaml" "${cfgUpdate}" > "${cfg.stateDir}/config.yaml.tmp" mv "${cfg.stateDir}/config.yaml.tmp" "${cfg.stateDir}/config.yaml" @@ -113,14 +116,12 @@ in cp "${cfgUpdate}" "${cfg.stateDir}/config.yaml" chmod 600 "${cfg.stateDir}/config.yaml" fi - chown -R ${cfg.user}:${cfg.group} "${cfg.stateDir}" ''; serviceConfig = { ExecStart = "${pkgs.octoprint}/bin/octoprint serve -b ${cfg.stateDir}"; User = cfg.user; Group = cfg.group; - PermissionsStartOnly = true; }; }; From fff8b9bcaa353dd61ac258408cfe190096c4c45f Mon Sep 17 00:00:00 2001 From: Aaron Andersen Date: Sun, 24 Feb 2019 09:23:26 -0500 Subject: [PATCH 31/34] nixos/netdata: replace deprecated usage of PermissionsStartOnly see https://github.com/NixOS/nixpkgs/issues/53852 --- nixos/modules/services/monitoring/netdata.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/nixos/modules/services/monitoring/netdata.nix b/nixos/modules/services/monitoring/netdata.nix index a49555cf677f..12a0961c4068 100644 --- a/nixos/modules/services/monitoring/netdata.nix +++ b/nixos/modules/services/monitoring/netdata.nix @@ -143,7 +143,6 @@ in { User = cfg.user; Group = cfg.group; Environment="PYTHONPATH=${pkgs.netdata}/libexec/netdata/python.d/python_modules"; - PermissionsStartOnly = true; ExecStart = "${pkgs.netdata}/bin/netdata -D -c ${configFile}"; TimeoutStopSec = 60; }; From 89dae4b1aed2228960872e2ac23b6c0d23ba8fe7 Mon Sep 17 00:00:00 2001 From: Aaron Andersen Date: Sun, 24 Feb 2019 11:16:35 -0500 Subject: [PATCH 32/34] nixos/murmur: replace deprecated usage of PermissionsStartOnly see https://github.com/NixOS/nixpkgs/issues/53852 --- nixos/modules/services/networking/murmur.nix | 6 ------ 1 file changed, 6 deletions(-) diff --git a/nixos/modules/services/networking/murmur.nix b/nixos/modules/services/networking/murmur.nix index a6e90feff7ea..d91552a18875 100644 --- a/nixos/modules/services/networking/murmur.nix +++ b/nixos/modules/services/networking/murmur.nix @@ -257,13 +257,7 @@ in Restart = "always"; User = "murmur"; ExecStart = "${pkgs.murmur}/bin/murmurd -ini ${configFile}"; - PermissionsStartOnly = true; }; - - preStart = '' - mkdir -p /var/log/murmur - chown -R murmur /var/log/murmur - ''; }; }; } From 1540a85458a65fbec09d9a2b84fa4ed6989930ab Mon Sep 17 00:00:00 2001 From: Aaron Andersen Date: Mon, 18 Mar 2019 20:20:17 -0400 Subject: [PATCH 33/34] nixos/frab: replace deprecated usage of PermissionsStartOnly see https://github.com/NixOS/nixpkgs/issues/53852 --- nixos/modules/services/web-apps/frab.nix | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/nixos/modules/services/web-apps/frab.nix b/nixos/modules/services/web-apps/frab.nix index fb95e024817c..e885dc69b3c0 100644 --- a/nixos/modules/services/web-apps/frab.nix +++ b/nixos/modules/services/web-apps/frab.nix @@ -182,16 +182,16 @@ in users.groups = [ { name = cfg.group; } ]; + systemd.tmpfiles.rules = [ + "d '${cfg.statePath}/system/attachments' - ${cfg.user} ${cfg.group} - -" + ]; + systemd.services.frab = { after = [ "network.target" "gitlab.service" ]; wantedBy = [ "multi-user.target" ]; environment = frabEnv; preStart = '' - mkdir -p ${cfg.statePath}/system/attachments - chown ${cfg.user}:${cfg.group} -R ${cfg.statePath} - - mkdir /run/frab -p ln -sf ${pkgs.writeText "frab-database.yml" databaseConfig} /run/frab/database.yml ln -sf ${cfg.statePath}/system /run/frab/system @@ -204,7 +204,6 @@ in ''; serviceConfig = { - PermissionsStartOnly = true; PrivateTmp = true; PrivateDevices = true; Type = "simple"; @@ -213,6 +212,7 @@ in TimeoutSec = "300s"; Restart = "on-failure"; RestartSec = "10s"; + RuntimeDirectory = "frab"; WorkingDirectory = "${package}/share/frab"; ExecStart = "${frab-rake}/bin/frab-bundle exec rails server " + "--binding=${cfg.listenAddress} --port=${toString cfg.listenPort}"; From de6e5ea8152b29c975096d7d4b7d0938874ee37a Mon Sep 17 00:00:00 2001 From: Aaron Andersen Date: Sat, 25 May 2019 18:30:50 -0400 Subject: [PATCH 34/34] nixos/foundationdb: replace deprecated usage of PermissionsStartOnly see https://github.com/NixOS/nixpkgs/issues/53852 --- .../services/databases/foundationdb.nix | 22 +++++++------------ 1 file changed, 8 insertions(+), 14 deletions(-) diff --git a/nixos/modules/services/databases/foundationdb.nix b/nixos/modules/services/databases/foundationdb.nix index 490c5e9d005a..6182da5e7d65 100644 --- a/nixos/modules/services/databases/foundationdb.nix +++ b/nixos/modules/services/databases/foundationdb.nix @@ -359,6 +359,13 @@ in } ]; + systemd.tmpfiles.rules = [ + "d /etc/foundationdb 0755 ${cfg.user} ${cfg.group} - -" + "d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -" + "d '${cfg.logDir}' 0770 ${cfg.user} ${cfg.group} - -" + "F '${cfg.pidFile}' - ${cfg.user} ${cfg.group} - -" + ]; + systemd.services.foundationdb = { description = "FoundationDB Service"; @@ -396,25 +403,12 @@ in path = [ pkg pkgs.coreutils ]; preStart = '' - rm -f ${cfg.pidfile} && \ - touch ${cfg.pidfile} && \ - chown -R ${cfg.user}:${cfg.group} ${cfg.pidfile} - - for x in "${cfg.logDir}" "${cfg.dataDir}"; do - [ ! -d "$x" ] && mkdir -m 0770 -vp "$x"; - chown -R ${cfg.user}:${cfg.group} "$x"; - done - - [ ! -d /etc/foundationdb ] && \ - mkdir -m 0775 -vp /etc/foundationdb && \ - chown -R ${cfg.user}:${cfg.group} "/etc/foundationdb" - if [ ! -f /etc/foundationdb/fdb.cluster ]; then cf=/etc/foundationdb/fdb.cluster desc=$(tr -dc A-Za-z0-9 /dev/null | head -c8) rand=$(tr -dc A-Za-z0-9 /dev/null | head -c8) echo ''${desc}:''${rand}@${initialIpAddr}:${builtins.toString cfg.listenPortStart} > $cf - chmod 0664 $cf && chown -R ${cfg.user}:${cfg.group} $cf + chmod 0664 $cf touch "${cfg.dataDir}/.first_startup" fi '';