Merge pull request #56265 from aanderse/permissions-start-only

replace deprecated usage of PermissionsStartOnly (part 2)
This commit is contained in:
Graham Christensen 2019-06-25 18:04:22 -04:00 committed by GitHub
commit 38c28ef10c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
33 changed files with 142 additions and 183 deletions

View File

@ -70,25 +70,25 @@ in {
config = mkIf cfg.enable { config = mkIf cfg.enable {
systemd.tmpfiles.rules = [
"d '${cfg.dataDir}' - mopidy mopidy - -"
];
systemd.services.mopidy = { systemd.services.mopidy = {
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
after = [ "network.target" "sound.target" ]; after = [ "network.target" "sound.target" ];
description = "mopidy music player daemon"; description = "mopidy music player daemon";
preStart = "mkdir -p ${cfg.dataDir} && chown -R mopidy:mopidy ${cfg.dataDir}";
serviceConfig = { serviceConfig = {
ExecStart = "${mopidyEnv}/bin/mopidy --config ${concatStringsSep ":" ([mopidyConf] ++ cfg.extraConfigFiles)}"; ExecStart = "${mopidyEnv}/bin/mopidy --config ${concatStringsSep ":" ([mopidyConf] ++ cfg.extraConfigFiles)}";
User = "mopidy"; User = "mopidy";
PermissionsStartOnly = true;
}; };
}; };
systemd.services.mopidy-scan = { systemd.services.mopidy-scan = {
description = "mopidy local files scanner"; description = "mopidy local files scanner";
preStart = "mkdir -p ${cfg.dataDir} && chown -R mopidy:mopidy ${cfg.dataDir}";
serviceConfig = { serviceConfig = {
ExecStart = "${mopidyEnv}/bin/mopidy --config ${concatStringsSep ":" ([mopidyConf] ++ cfg.extraConfigFiles)} local scan"; ExecStart = "${mopidyEnv}/bin/mopidy --config ${concatStringsSep ":" ([mopidyConf] ++ cfg.extraConfigFiles)} local scan";
User = "mopidy"; User = "mopidy";
PermissionsStartOnly = true;
Type = "oneshot"; Type = "oneshot";
}; };
}; };
@ -98,7 +98,7 @@ in {
group = "mopidy"; group = "mopidy";
extraGroups = [ "audio" ]; extraGroups = [ "audio" ];
description = "Mopidy daemon user"; description = "Mopidy daemon user";
home = "${cfg.dataDir}"; home = cfg.dataDir;
}; };
users.groups.mopidy.gid = gid; users.groups.mopidy.gid = gid;

View File

@ -42,15 +42,17 @@ in {
config = mkIf cfg.enable { config = mkIf cfg.enable {
systemd.tmpfiles.rules = [
"d '${cfg.dataDir}' - slimserver slimserver - -"
];
systemd.services.slimserver = { systemd.services.slimserver = {
after = [ "network.target" ]; after = [ "network.target" ];
description = "Slim Server for Logitech Squeezebox Players"; description = "Slim Server for Logitech Squeezebox Players";
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
preStart = "mkdir -p ${cfg.dataDir} && chown -R slimserver:slimserver ${cfg.dataDir}";
serviceConfig = { serviceConfig = {
User = "slimserver"; User = "slimserver";
PermissionsStartOnly = true;
# Issue 40589: Disable broken image/video support (audio still works!) # Issue 40589: Disable broken image/video support (audio still works!)
ExecStart = "${cfg.package}/slimserver.pl --logdir ${cfg.dataDir}/logs --prefsdir ${cfg.dataDir}/prefs --cachedir ${cfg.dataDir}/cache --noimage --novideo"; ExecStart = "${cfg.package}/slimserver.pl --logdir ${cfg.dataDir}/logs --prefsdir ${cfg.dataDir}/prefs --cachedir ${cfg.dataDir}/cache --noimage --novideo";
}; };

View File

@ -105,19 +105,18 @@ in
isSystemUser = true; isSystemUser = true;
}; };
systemd.tmpfiles.rules = [
"d '${cfg.dataDir}' - boinc - - -"
];
systemd.services.boinc = { systemd.services.boinc = {
description = "BOINC Client"; description = "BOINC Client";
after = ["network.target" "local-fs.target"]; after = ["network.target" "local-fs.target"];
wantedBy = ["multi-user.target"]; wantedBy = ["multi-user.target"];
preStart = ''
mkdir -p ${cfg.dataDir}
chown boinc ${cfg.dataDir}
'';
script = '' script = ''
${fhsEnvExecutable} --dir ${cfg.dataDir} --redirectio ${allowRemoteGuiRpcFlag} ${fhsEnvExecutable} --dir ${cfg.dataDir} --redirectio ${allowRemoteGuiRpcFlag}
''; '';
serviceConfig = { serviceConfig = {
PermissionsStartOnly = true; # preStart must be run as root
User = "boinc"; User = "boinc";
Nice = 10; Nice = 10;
}; };

View File

@ -95,6 +95,11 @@ in
environment.systemPackages = [cfg.package]; environment.systemPackages = [cfg.package];
systemd.tmpfiles.rules = [
"d '${dataDir}' 0700 ${cfg.user} - - -"
"d '${systemDir}' 0700 ${cfg.user} - - -"
];
systemd.services.firebird = systemd.services.firebird =
{ description = "Firebird Super-Server"; { description = "Firebird Super-Server";
@ -104,21 +109,16 @@ in
# is a better way # is a better way
preStart = preStart =
'' ''
mkdir -m 0700 -p \
"${dataDir}" \
"${systemDir}" \
/var/log/firebird
if ! test -e "${systemDir}/security2.fdb"; then if ! test -e "${systemDir}/security2.fdb"; then
cp ${firebird}/security2.fdb "${systemDir}" cp ${firebird}/security2.fdb "${systemDir}"
fi fi
chown -R ${cfg.user} "${dataDir}" "${systemDir}" /var/log/firebird
chmod -R 700 "${dataDir}" "${systemDir}" /var/log/firebird chmod -R 700 "${dataDir}" "${systemDir}" /var/log/firebird
''; '';
serviceConfig.PermissionsStartOnly = true; # preStart must be run as root
serviceConfig.User = cfg.user; serviceConfig.User = cfg.user;
serviceConfig.LogsDirectory = "firebird";
serviceConfig.LogsDirectoryMode = "0700";
serviceConfig.ExecStart = ''${firebird}/bin/fbserver -d''; serviceConfig.ExecStart = ''${firebird}/bin/fbserver -d'';
# TODO think about shutdown # TODO think about shutdown

View File

@ -359,6 +359,13 @@ in
} }
]; ];
systemd.tmpfiles.rules = [
"d /etc/foundationdb 0755 ${cfg.user} ${cfg.group} - -"
"d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -"
"d '${cfg.logDir}' 0770 ${cfg.user} ${cfg.group} - -"
"F '${cfg.pidFile}' - ${cfg.user} ${cfg.group} - -"
];
systemd.services.foundationdb = { systemd.services.foundationdb = {
description = "FoundationDB Service"; description = "FoundationDB Service";
@ -396,25 +403,12 @@ in
path = [ pkg pkgs.coreutils ]; path = [ pkg pkgs.coreutils ];
preStart = '' preStart = ''
rm -f ${cfg.pidfile} && \
touch ${cfg.pidfile} && \
chown -R ${cfg.user}:${cfg.group} ${cfg.pidfile}
for x in "${cfg.logDir}" "${cfg.dataDir}"; do
[ ! -d "$x" ] && mkdir -m 0770 -vp "$x";
chown -R ${cfg.user}:${cfg.group} "$x";
done
[ ! -d /etc/foundationdb ] && \
mkdir -m 0775 -vp /etc/foundationdb && \
chown -R ${cfg.user}:${cfg.group} "/etc/foundationdb"
if [ ! -f /etc/foundationdb/fdb.cluster ]; then if [ ! -f /etc/foundationdb/fdb.cluster ]; then
cf=/etc/foundationdb/fdb.cluster cf=/etc/foundationdb/fdb.cluster
desc=$(tr -dc A-Za-z0-9 </dev/urandom 2>/dev/null | head -c8) desc=$(tr -dc A-Za-z0-9 </dev/urandom 2>/dev/null | head -c8)
rand=$(tr -dc A-Za-z0-9 </dev/urandom 2>/dev/null | head -c8) rand=$(tr -dc A-Za-z0-9 </dev/urandom 2>/dev/null | head -c8)
echo ''${desc}:''${rand}@${initialIpAddr}:${builtins.toString cfg.listenPortStart} > $cf echo ''${desc}:''${rand}@${initialIpAddr}:${builtins.toString cfg.listenPortStart} > $cf
chmod 0664 $cf && chown -R ${cfg.user}:${cfg.group} $cf chmod 0664 $cf
touch "${cfg.dataDir}/.first_startup" touch "${cfg.dataDir}/.first_startup"
fi fi
''; '';

View File

@ -94,6 +94,11 @@ in {
config = mkIf config.services.hbase.enable { config = mkIf config.services.hbase.enable {
systemd.tmpfiles.rules = [
"d '${cfg.dataDir}' - ${cfg.user} ${cfg.group} - -"
"d '${cfg.logDir}' - ${cfg.user} ${cfg.group} - -"
];
systemd.services.hbase = { systemd.services.hbase = {
description = "HBase Server"; description = "HBase Server";
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
@ -103,19 +108,7 @@ in {
HBASE_LOG_DIR = cfg.logDir; HBASE_LOG_DIR = cfg.logDir;
}; };
preStart =
''
mkdir -p ${cfg.dataDir};
mkdir -p ${cfg.logDir};
if [ "$(id -u)" = 0 ]; then
chown ${cfg.user}:${cfg.group} ${cfg.dataDir}
chown ${cfg.user}:${cfg.group} ${cfg.logDir}
fi
'';
serviceConfig = { serviceConfig = {
PermissionsStartOnly = true;
User = cfg.user; User = cfg.user;
Group = cfg.group; Group = cfg.group;
ExecStart = "${cfg.package}/bin/hbase --config ${configDir} master start"; ExecStart = "${cfg.package}/bin/hbase --config ${configDir} master start";

View File

@ -134,6 +134,10 @@ in
}; };
}; };
systemd.tmpfiles.rules = [
"d '${cfg.messageJournalDir}' - ${cfg.user} - - -"
];
systemd.services.graylog = with pkgs; { systemd.services.graylog = with pkgs; {
description = "Graylog Server"; description = "Graylog Server";
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
@ -143,8 +147,6 @@ in
}; };
path = [ pkgs.jre_headless pkgs.which pkgs.procps ]; path = [ pkgs.jre_headless pkgs.which pkgs.procps ];
preStart = '' preStart = ''
mkdir -p /var/lib/graylog -m 755
rm -rf /var/lib/graylog/plugins || true rm -rf /var/lib/graylog/plugins || true
mkdir -p /var/lib/graylog/plugins -m 755 mkdir -p /var/lib/graylog/plugins -m 755
@ -154,14 +156,10 @@ in
for includedplugin in `ls ${cfg.package}/plugin/`; do for includedplugin in `ls ${cfg.package}/plugin/`; do
ln -s ${cfg.package}/plugin/$includedplugin /var/lib/graylog/plugins/$includedplugin || true ln -s ${cfg.package}/plugin/$includedplugin /var/lib/graylog/plugins/$includedplugin || true
done done
chown -R ${cfg.user} /var/lib/graylog
mkdir -p ${cfg.messageJournalDir} -m 755
chown -R ${cfg.user} ${cfg.messageJournalDir}
''; '';
serviceConfig = { serviceConfig = {
User="${cfg.user}"; User="${cfg.user}";
PermissionsStartOnly=true; StateDirectory = "graylog";
ExecStart = "${cfg.package}/bin/graylogctl run"; ExecStart = "${cfg.package}/bin/graylogctl run";
}; };
}; };

View File

@ -54,16 +54,18 @@ in
config = mkIf cfg.enable { config = mkIf cfg.enable {
systemd.tmpfiles.rules = [
"d '${cfg.stateDir}' - nobody nogroup - -"
];
systemd.services.heartbeat = with pkgs; { systemd.services.heartbeat = with pkgs; {
description = "heartbeat log shipper"; description = "heartbeat log shipper";
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
preStart = '' preStart = ''
mkdir -p "${cfg.stateDir}"/{data,logs} mkdir -p "${cfg.stateDir}"/{data,logs}
chown nobody:nogroup "${cfg.stateDir}"/{data,logs}
''; '';
serviceConfig = { serviceConfig = {
User = "nobody"; User = "nobody";
PermissionsStartOnly = true;
AmbientCapabilities = "cap_net_raw"; AmbientCapabilities = "cap_net_raw";
ExecStart = "${pkgs.heartbeat}/bin/heartbeat -c \"${heartbeatYml}\" -path.data \"${cfg.stateDir}/data\" -path.logs \"${cfg.stateDir}/logs\""; ExecStart = "${pkgs.heartbeat}/bin/heartbeat -c \"${heartbeatYml}\" -path.data \"${cfg.stateDir}/data\" -path.logs \"${cfg.stateDir}/logs\"";
}; };

View File

@ -113,19 +113,14 @@ in {
Group = cfg.group; Group = cfg.group;
RuntimeDirectory = optional (cfg.domainSocket == defaultSock) "dspam"; RuntimeDirectory = optional (cfg.domainSocket == defaultSock) "dspam";
RuntimeDirectoryMode = optional (cfg.domainSocket == defaultSock) "0750"; RuntimeDirectoryMode = optional (cfg.domainSocket == defaultSock) "0750";
PermissionsStartOnly = true; StateDirectory = "dspam";
StateDirectoryMode = "0750";
LogsDirectory = "dspam";
LogsDirectoryMode = "0750";
# DSPAM segfaults on just about every error # DSPAM segfaults on just about every error
Restart = "on-abort"; Restart = "on-abort";
RestartSec = "1s"; RestartSec = "1s";
}; };
preStart = ''
mkdir -m750 -p /var/lib/dspam
chown -R "${cfg.user}:${cfg.group}" /var/lib/dspam
mkdir -m750 -p /var/log/dspam
chown -R "${cfg.user}:${cfg.group}" /var/log/dspam
'';
}; };
} }

View File

@ -101,13 +101,16 @@ in {
environment.systemPackages = [ pkgs.opendkim ]; environment.systemPackages = [ pkgs.opendkim ];
systemd.tmpfiles.rules = [
"d '${cfg.keyPath}' - ${cfg.user} ${cfg.group} - -"
];
systemd.services.opendkim = { systemd.services.opendkim = {
description = "OpenDKIM signing and verification daemon"; description = "OpenDKIM signing and verification daemon";
after = [ "network.target" ]; after = [ "network.target" ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
preStart = '' preStart = ''
mkdir -p "${cfg.keyPath}"
cd "${cfg.keyPath}" cd "${cfg.keyPath}"
if ! test -f ${cfg.selector}.private; then if ! test -f ${cfg.selector}.private; then
${pkgs.opendkim}/bin/opendkim-genkey -s ${cfg.selector} -d all-domains-generic-key ${pkgs.opendkim}/bin/opendkim-genkey -s ${cfg.selector} -d all-domains-generic-key
@ -116,7 +119,6 @@ in {
cat ${cfg.selector}.txt cat ${cfg.selector}.txt
echo "-------------------------------------------------------------" echo "-------------------------------------------------------------"
fi fi
chown ${cfg.user}:${cfg.group} ${cfg.selector}.private
''; '';
serviceConfig = { serviceConfig = {
@ -124,7 +126,6 @@ in {
User = cfg.user; User = cfg.user;
Group = cfg.group; Group = cfg.group;
RuntimeDirectory = optional (cfg.socket == defaultSock) "opendkim"; RuntimeDirectory = optional (cfg.socket == defaultSock) "opendkim";
PermissionsStartOnly = true;
}; };
}; };

View File

@ -131,6 +131,8 @@ in {
home = head cfg.logDirs; home = head cfg.logDirs;
}; };
systemd.tmpfiles.rules = map (logDir: "d '${logDir} 0700 apache-kafka - - -") cfg.logDirs;
systemd.services.apache-kafka = { systemd.services.apache-kafka = {
description = "Apache Kafka Daemon"; description = "Apache Kafka Daemon";
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
@ -145,15 +147,8 @@ in {
${serverConfig} ${serverConfig}
''; '';
User = "apache-kafka"; User = "apache-kafka";
PermissionsStartOnly = true;
SuccessExitStatus = "0 143"; SuccessExitStatus = "0 143";
}; };
preStart = ''
mkdir -m 0700 -p ${concatStringsSep " " cfg.logDirs}
if [ "$(id -u)" = 0 ]; then
chown apache-kafka ${concatStringsSep " " cfg.logDirs};
fi
'';
}; };
}; };

View File

@ -19,16 +19,11 @@ in
after = [ "network.target" ]; after = [ "network.target" ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
preStart = ''
mkdir -p /var/lib/couchpotato
chown -R couchpotato:couchpotato /var/lib/couchpotato
'';
serviceConfig = { serviceConfig = {
Type = "simple"; Type = "simple";
User = "couchpotato"; User = "couchpotato";
Group = "couchpotato"; Group = "couchpotato";
PermissionsStartOnly = "true"; StateDirectory = "couchpotato";
ExecStart = "${pkgs.couchpotato}/bin/couchpotato"; ExecStart = "${pkgs.couchpotato}/bin/couchpotato";
Restart = "on-failure"; Restart = "on-failure";
}; };

View File

@ -75,27 +75,24 @@ in
users.groups.gollum = { }; users.groups.gollum = { };
systemd.tmpfiles.rules = [
"d '${cfg.stateDir}' - ${config.users.users.gollum.name} ${config.users.groups.gollum.name} - -"
];
systemd.services.gollum = { systemd.services.gollum = {
description = "Gollum wiki"; description = "Gollum wiki";
after = [ "network.target" ]; after = [ "network.target" ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
path = [ pkgs.git ]; path = [ pkgs.git ];
preStart = let preStart = ''
userName = config.users.users.gollum.name; # This is safe to be run on an existing repo
groupName = config.users.groups.gollum.name;
in ''
# All of this is safe to be run on an existing repo
mkdir -p ${cfg.stateDir}
git init ${cfg.stateDir} git init ${cfg.stateDir}
chmod 755 ${cfg.stateDir}
chown -R ${userName}:${groupName} ${cfg.stateDir}
''; '';
serviceConfig = { serviceConfig = {
User = config.users.users.gollum.name; User = config.users.users.gollum.name;
Group = config.users.groups.gollum.name; Group = config.users.groups.gollum.name;
PermissionsStartOnly = true;
ExecStart = '' ExecStart = ''
${pkgs.gollum}/bin/gollum \ ${pkgs.gollum}/bin/gollum \
--port ${toString cfg.port} \ --port ${toString cfg.port} \

View File

@ -97,6 +97,10 @@ in
gid = config.ids.gids.octoprint; gid = config.ids.gids.octoprint;
}); });
systemd.tmpfiles.rules = [
"d '${cfg.stateDir}' - ${cfg.user} ${cfg.group} - -"
];
systemd.services.octoprint = { systemd.services.octoprint = {
description = "OctoPrint, web interface for 3D printers"; description = "OctoPrint, web interface for 3D printers";
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
@ -105,7 +109,6 @@ in
environment.PYTHONPATH = makeSearchPathOutput "lib" pkgs.python.sitePackages [ pluginsEnv ]; environment.PYTHONPATH = makeSearchPathOutput "lib" pkgs.python.sitePackages [ pluginsEnv ];
preStart = '' preStart = ''
mkdir -p "${cfg.stateDir}"
if [ -e "${cfg.stateDir}/config.yaml" ]; then if [ -e "${cfg.stateDir}/config.yaml" ]; then
${pkgs.yaml-merge}/bin/yaml-merge "${cfg.stateDir}/config.yaml" "${cfgUpdate}" > "${cfg.stateDir}/config.yaml.tmp" ${pkgs.yaml-merge}/bin/yaml-merge "${cfg.stateDir}/config.yaml" "${cfgUpdate}" > "${cfg.stateDir}/config.yaml.tmp"
mv "${cfg.stateDir}/config.yaml.tmp" "${cfg.stateDir}/config.yaml" mv "${cfg.stateDir}/config.yaml.tmp" "${cfg.stateDir}/config.yaml"
@ -113,14 +116,12 @@ in
cp "${cfgUpdate}" "${cfg.stateDir}/config.yaml" cp "${cfgUpdate}" "${cfg.stateDir}/config.yaml"
chmod 600 "${cfg.stateDir}/config.yaml" chmod 600 "${cfg.stateDir}/config.yaml"
fi fi
chown -R ${cfg.user}:${cfg.group} "${cfg.stateDir}"
''; '';
serviceConfig = { serviceConfig = {
ExecStart = "${pkgs.octoprint}/bin/octoprint serve -b ${cfg.stateDir}"; ExecStart = "${pkgs.octoprint}/bin/octoprint serve -b ${cfg.stateDir}";
User = cfg.user; User = cfg.user;
Group = cfg.group; Group = cfg.group;
PermissionsStartOnly = true;
}; };
}; };

View File

@ -83,6 +83,10 @@ in
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
systemd.tmpfiles.rules = [
"d '${cfg.logDir}' - alerta alerta - -"
];
systemd.services.alerta = { systemd.services.alerta = {
description = "Alerta Monitoring System"; description = "Alerta Monitoring System";
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
@ -94,12 +98,7 @@ in
ExecStart = "${pkgs.python36Packages.alerta-server}/bin/alertad run --port ${toString cfg.port} --host ${cfg.bind}"; ExecStart = "${pkgs.python36Packages.alerta-server}/bin/alertad run --port ${toString cfg.port} --host ${cfg.bind}";
User = "alerta"; User = "alerta";
Group = "alerta"; Group = "alerta";
PermissionsStartOnly = true;
}; };
preStart = ''
mkdir -p ${cfg.logDir}
chown alerta:alerta ${cfg.logDir}
'';
}; };
environment.systemPackages = [ pkgs.python36Packages.alerta ]; environment.systemPackages = [ pkgs.python36Packages.alerta ];

View File

@ -163,6 +163,10 @@ in
config = mkIf cfg.enable { config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.kapacitor ]; environment.systemPackages = [ pkgs.kapacitor ];
systemd.tmpfiles.rules = [
"d '${cfg.dataDir}' - ${cfg.user} ${cfg.group} - -"
];
systemd.services.kapacitor = { systemd.services.kapacitor = {
description = "Kapacitor Real-Time Stream Processing Engine"; description = "Kapacitor Real-Time Stream Processing Engine";
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
@ -171,12 +175,7 @@ in
ExecStart = "${pkgs.kapacitor}/bin/kapacitord -config ${kapacitorConf}"; ExecStart = "${pkgs.kapacitor}/bin/kapacitord -config ${kapacitorConf}";
User = "kapacitor"; User = "kapacitor";
Group = "kapacitor"; Group = "kapacitor";
PermissionsStartOnly = true;
}; };
preStart = ''
mkdir -p ${cfg.dataDir}
chown ${cfg.user}:${cfg.group} ${cfg.dataDir}
'';
}; };
users.users.kapacitor = { users.users.kapacitor = {

View File

@ -143,7 +143,6 @@ in {
User = cfg.user; User = cfg.user;
Group = cfg.group; Group = cfg.group;
Environment="PYTHONPATH=${pkgs.netdata}/libexec/netdata/python.d/python_modules"; Environment="PYTHONPATH=${pkgs.netdata}/libexec/netdata/python.d/python_modules";
PermissionsStartOnly = true;
ExecStart = "${pkgs.netdata}/bin/netdata -D -c ${configFile}"; ExecStart = "${pkgs.netdata}/bin/netdata -D -c ${configFile}";
TimeoutStopSec = 60; TimeoutStopSec = 60;
}; };

View File

@ -59,18 +59,20 @@ in {
group = "riemanndash"; group = "riemanndash";
}; };
systemd.tmpfiles.rules = [
"d '${cfg.dataDir}' - riemanndash riemanndash - -"
];
systemd.services.riemann-dash = { systemd.services.riemann-dash = {
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
wants = [ "riemann.service" ]; wants = [ "riemann.service" ];
after = [ "riemann.service" ]; after = [ "riemann.service" ];
preStart = '' preStart = ''
mkdir -p ${cfg.dataDir}/config mkdir -p '${cfg.dataDir}/config'
chown -R riemanndash:riemanndash ${cfg.dataDir}
''; '';
serviceConfig = { serviceConfig = {
User = "riemanndash"; User = "riemanndash";
ExecStart = "${launcher}/bin/riemann-dash"; ExecStart = "${launcher}/bin/riemann-dash";
PermissionsStartOnly = true;
}; };
}; };

View File

@ -54,7 +54,6 @@ in {
serviceConfig = { serviceConfig = {
User = "riemanntools"; User = "riemanntools";
ExecStart = "${healthLauncher}/bin/riemann-health"; ExecStart = "${healthLauncher}/bin/riemann-health";
PermissionsStartOnly = true;
}; };
}; };

View File

@ -116,7 +116,6 @@ in {
path = [ pkgs.coreutils pkgs.iproute ]; path = [ pkgs.coreutils pkgs.iproute ];
serviceConfig = { serviceConfig = {
PermissionsStartOnly = true;
User = cfg.user; User = cfg.user;
Group = cfg.group; Group = cfg.group;
ExecStart = "${cfg.package.bin}/bin/scollector -conf=${conf} ${lib.concatStringsSep " " cfg.extraOpts}"; ExecStart = "${cfg.package.bin}/bin/scollector -conf=${conf} ${lib.concatStringsSep " " cfg.extraOpts}";

View File

@ -102,22 +102,19 @@ in
users.groups.aria2.gid = config.ids.gids.aria2; users.groups.aria2.gid = config.ids.gids.aria2;
systemd.tmpfiles.rules = [
"d '${homeDir}' 0770 aria2 aria2 - -"
"d '${config.services.aria2.downloadDir}' 0770 aria2 aria2 - -"
];
systemd.services.aria2 = { systemd.services.aria2 = {
description = "aria2 Service"; description = "aria2 Service";
after = [ "local-fs.target" "network.target" ]; after = [ "local-fs.target" "network.target" ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
preStart = '' preStart = ''
mkdir -m 0770 -p "${homeDir}"
chown aria2:aria2 "${homeDir}"
if [[ ! -d "${config.services.aria2.downloadDir}" ]]
then
mkdir -m 0770 -p "${config.services.aria2.downloadDir}"
chown aria2:aria2 "${config.services.aria2.downloadDir}"
fi
if [[ ! -e "${sessionFile}" ]] if [[ ! -e "${sessionFile}" ]]
then then
touch "${sessionFile}" touch "${sessionFile}"
chown aria2:aria2 "${sessionFile}"
fi fi
cp -f "${settingsFile}" "${settingsDir}/aria2.conf" cp -f "${settingsFile}" "${settingsDir}/aria2.conf"
''; '';
@ -128,7 +125,6 @@ in
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
User = "aria2"; User = "aria2";
Group = "aria2"; Group = "aria2";
PermissionsStartOnly = true;
}; };
}; };
}; };

View File

@ -99,7 +99,6 @@ in
serviceConfig = { serviceConfig = {
User = "${s.user}"; User = "${s.user}";
PermissionsStartOnly = true;
# AutoSSH may exit with 0 code if the SSH session was # AutoSSH may exit with 0 code if the SSH session was
# gracefully terminated by either local or remote side. # gracefully terminated by either local or remote side.
Restart = "on-success"; Restart = "on-success";

View File

@ -83,6 +83,10 @@ in
gid = config.ids.gids.ircd; gid = config.ids.gids.ircd;
}; };
systemd.tmpfiles.rules = [
"d ${cfg.statedir} - ${cfg.user} ${cfg.group} - -"
];
systemd.services.charybdis = { systemd.services.charybdis = {
description = "Charybdis IRC daemon"; description = "Charybdis IRC daemon";
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
@ -93,12 +97,7 @@ in
ExecStart = "${charybdis}/bin/charybdis -foreground -logfile /dev/stdout -configfile ${configFile}"; ExecStart = "${charybdis}/bin/charybdis -foreground -logfile /dev/stdout -configfile ${configFile}";
Group = cfg.group; Group = cfg.group;
User = cfg.user; User = cfg.user;
PermissionsStartOnly = true; # preStart needs to run with root permissions
}; };
preStart = ''
${coreutils}/bin/mkdir -p ${cfg.statedir}
${coreutils}/bin/chown ${cfg.user}:${cfg.group} ${cfg.statedir}
'';
}; };
} }

View File

@ -98,16 +98,10 @@ in
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
after = [ "network.target" "local-fs.target" ]; after = [ "network.target" "local-fs.target" ];
preStart =
''
mkdir -p /var/cache/minidlna
chown -R minidlna:minidlna /var/cache/minidlna
'';
serviceConfig = serviceConfig =
{ User = "minidlna"; { User = "minidlna";
Group = "minidlna"; Group = "minidlna";
PermissionsStartOnly = true; CacheDirectory = "minidlna";
RuntimeDirectory = "minidlna"; RuntimeDirectory = "minidlna";
PIDFile = "/run/minidlna/pid"; PIDFile = "/run/minidlna/pid";
ExecStart = ExecStart =

View File

@ -104,6 +104,10 @@ in
gid = config.ids.gids.quassel; gid = config.ids.gids.quassel;
}]; }];
systemd.tmpfiles.rules = [
"d '${cfg.dataDir}' - ${user} - - -"
];
systemd.services.quassel = systemd.services.quassel =
{ description = "Quassel IRC client daemon"; { description = "Quassel IRC client daemon";
@ -111,11 +115,6 @@ in
after = [ "network.target" ] ++ optional config.services.postgresql.enable "postgresql.service" after = [ "network.target" ] ++ optional config.services.postgresql.enable "postgresql.service"
++ optional config.services.mysql.enable "mysql.service"; ++ optional config.services.mysql.enable "mysql.service";
preStart = ''
mkdir -p ${cfg.dataDir}
chown ${user} ${cfg.dataDir}
'';
serviceConfig = serviceConfig =
{ {
ExecStart = concatStringsSep " " ([ ExecStart = concatStringsSep " " ([
@ -126,7 +125,6 @@ in
] ++ optional cfg.requireSSL "--require-ssl" ] ++ optional cfg.requireSSL "--require-ssl"
++ optional (cfg.certificateFile != null) "--ssl-cert=${cfg.certificateFile}"); ++ optional (cfg.certificateFile != null) "--ssl-cert=${cfg.certificateFile}");
User = user; User = user;
PermissionsStartOnly = true;
}; };
}; };

View File

@ -159,7 +159,6 @@ in
serviceConfig = { serviceConfig = {
Type="forking"; Type="forking";
PIDFile="/run/squid.pid"; PIDFile="/run/squid.pid";
PermissionsStartOnly = true;
ExecStart = "${pkgs.squid}/bin/squid -YCs -f ${squidConfig}"; ExecStart = "${pkgs.squid}/bin/squid -YCs -f ${squidConfig}";
}; };
}; };

View File

@ -111,16 +111,15 @@ in
gid = config.ids.gids.teamspeak; gid = config.ids.gids.teamspeak;
}; };
systemd.tmpfiles.rules = [
"d '${cfg.logPath}' - ${user} ${group} - -"
];
systemd.services.teamspeak3-server = { systemd.services.teamspeak3-server = {
description = "Teamspeak3 voice communication server daemon"; description = "Teamspeak3 voice communication server daemon";
after = [ "network.target" ]; after = [ "network.target" ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
preStart = ''
mkdir -p ${cfg.logPath}
chown ${user}:${group} ${cfg.logPath}
'';
serviceConfig = { serviceConfig = {
ExecStart = '' ExecStart = ''
${ts3}/bin/ts3server \ ${ts3}/bin/ts3server \
@ -135,7 +134,6 @@ in
WorkingDirectory = cfg.dataDir; WorkingDirectory = cfg.dataDir;
User = user; User = user;
Group = group; Group = group;
PermissionsStartOnly = true;
}; };
}; };
}; };

View File

@ -146,6 +146,11 @@ in
where = where; where = where;
}) mountPoints; }) mountPoints;
systemd.tmpfiles.rules = [
"e '${stateDir}' 0700 unifi - - -"
"e '${stateDir}/data' 0700 unifi - - -"
];
systemd.services.unifi = { systemd.services.unifi = {
description = "UniFi controller daemon"; description = "UniFi controller daemon";
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
@ -157,14 +162,9 @@ in
environment.LD_LIBRARY_PATH = with pkgs.stdenv; "${cc.cc.lib}/lib"; environment.LD_LIBRARY_PATH = with pkgs.stdenv; "${cc.cc.lib}/lib";
preStart = '' preStart = ''
# Ensure privacy of state and data.
chown unifi "${stateDir}" "${stateDir}/data"
chmod 0700 "${stateDir}" "${stateDir}/data"
# Create the volatile webapps # Create the volatile webapps
rm -rf "${stateDir}/webapps" rm -rf "${stateDir}/webapps"
mkdir -p "${stateDir}/webapps" mkdir -p "${stateDir}/webapps"
chown unifi "${stateDir}/webapps"
ln -s "${cfg.unifiPackage}/webapps/ROOT" "${stateDir}/webapps/ROOT" ln -s "${cfg.unifiPackage}/webapps/ROOT" "${stateDir}/webapps/ROOT"
''; '';
@ -177,7 +177,6 @@ in
ExecStart = "${(removeSuffix "\n" cmd)} start"; ExecStart = "${(removeSuffix "\n" cmd)} start";
ExecStop = "${(removeSuffix "\n" cmd)} stop"; ExecStop = "${(removeSuffix "\n" cmd)} stop";
User = "unifi"; User = "unifi";
PermissionsStartOnly = true;
UMask = "0077"; UMask = "0077";
WorkingDirectory = "${stateDir}"; WorkingDirectory = "${stateDir}";
}; };

View File

@ -86,20 +86,17 @@ in with lib; {
''; '';
}; };
systemd.tmpfiles.rules = [
"d '${cfg.dataDir}' 750 zeronet zeronet - -"
"d '${cfg.logDir}' 750 zeronet zeronet - -"
];
systemd.services.zeronet = { systemd.services.zeronet = {
description = "zeronet"; description = "zeronet";
after = [ "network.target" (optionalString cfg.tor "tor.service") ]; after = [ "network.target" (optionalString cfg.tor "tor.service") ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
preStart = ''
# Ensure folder exists or create it and permissions are correct
mkdir -p ${escapeShellArg cfg.dataDir} ${escapeShellArg cfg.logDir}
chmod 750 ${escapeShellArg cfg.dataDir} ${escapeShellArg cfg.logDir}
chown zeronet:zeronet ${escapeShellArg cfg.dataDir} ${escapeShellArg cfg.logDir}
'';
serviceConfig = { serviceConfig = {
PermissionsStartOnly = true;
PrivateTmp = "yes"; PrivateTmp = "yes";
User = "zeronet"; User = "zeronet";
Group = "zeronet"; Group = "zeronet";

View File

@ -149,6 +149,17 @@ in
users.groups."${cfg.group}" = {}; users.groups."${cfg.group}" = {};
systemd.tmpfiles.rules = [
"d '${cfg.home}' - ${cfg.user} - - -"
"d /run/confluence - - - - -"
"L+ /run/confluence/home - - - - ${cfg.home}"
"L+ /run/confluence/logs - - - - ${cfg.home}/logs"
"L+ /run/confluence/temp - - - - ${cfg.home}/temp"
"L+ /run/confluence/work - - - - ${cfg.home}/work"
"L+ /run/confluence/server.xml - - - - ${cfg.home}/server.xml"
];
systemd.services.confluence = { systemd.services.confluence = {
description = "Atlassian Confluence"; description = "Atlassian Confluence";
@ -167,12 +178,6 @@ in
preStart = '' preStart = ''
mkdir -p ${cfg.home}/{logs,work,temp,deploy} mkdir -p ${cfg.home}/{logs,work,temp,deploy}
mkdir -p /run/confluence
ln -sf ${cfg.home}/{logs,work,temp,server.xml} /run/confluence
ln -sf ${cfg.home} /run/confluence/home
chown ${cfg.user} ${cfg.home}
sed -e 's,port="8090",port="${toString cfg.listenPort}" address="${cfg.listenAddress}",' \ sed -e 's,port="8090",port="${toString cfg.listenPort}" address="${cfg.listenAddress}",' \
'' + (lib.optionalString cfg.proxy.enable '' '' + (lib.optionalString cfg.proxy.enable ''
-e 's,protocol="org.apache.coyote.http11.Http11NioProtocol",protocol="org.apache.coyote.http11.Http11NioProtocol" proxyName="${cfg.proxy.name}" proxyPort="${toString cfg.proxy.port}" scheme="${cfg.proxy.scheme}",' \ -e 's,protocol="org.apache.coyote.http11.Http11NioProtocol",protocol="org.apache.coyote.http11.Http11NioProtocol" proxyName="${cfg.proxy.name}" proxyPort="${toString cfg.proxy.port}" scheme="${cfg.proxy.scheme}",' \
@ -184,7 +189,6 @@ in
User = cfg.user; User = cfg.user;
Group = cfg.group; Group = cfg.group;
PrivateTmp = true; PrivateTmp = true;
PermissionsStartOnly = true;
ExecStart = "${pkg}/bin/start-confluence.sh -fg"; ExecStart = "${pkg}/bin/start-confluence.sh -fg";
ExecStop = "${pkg}/bin/stop-confluence.sh"; ExecStop = "${pkg}/bin/stop-confluence.sh";
}; };

View File

@ -117,6 +117,16 @@ in
users.groups."${cfg.group}" = {}; users.groups."${cfg.group}" = {};
systemd.tmpfiles.rules = [
"d '${cfg.home}' - ${cfg.user} ${cfg.group} - -"
"d /run/atlassian-crowd - - - - -"
"L+ /run/atlassian-crowd/database - - - - ${cfg.home}/database"
"L+ /run/atlassian-crowd/logs - - - - ${cfg.home}/logs"
"L+ /run/atlassian-crowd/work - - - - ${cfg.home}/work"
"L+ /run/atlassian-crowd/server.xml - - - - ${cfg.home}/server.xml"
];
systemd.services.atlassian-crowd = { systemd.services.atlassian-crowd = {
description = "Atlassian Crowd"; description = "Atlassian Crowd";
@ -136,12 +146,6 @@ in
rm -rf ${cfg.home}/work rm -rf ${cfg.home}/work
mkdir -p ${cfg.home}/{logs,database,work} mkdir -p ${cfg.home}/{logs,database,work}
mkdir -p /run/atlassian-crowd
ln -sf ${cfg.home}/{database,logs,work,server.xml} /run/atlassian-crowd
chown ${cfg.user}:${cfg.group} ${cfg.home}
chown ${cfg.user}:${cfg.group} ${cfg.home}/{logs,database,work}
sed -e 's,port="8095",port="${toString cfg.listenPort}" address="${cfg.listenAddress}",' \ sed -e 's,port="8095",port="${toString cfg.listenPort}" address="${cfg.listenAddress}",' \
'' + (lib.optionalString cfg.proxy.enable '' '' + (lib.optionalString cfg.proxy.enable ''
-e 's,compression="on",compression="off" protocol="HTTP/1.1" proxyName="${cfg.proxy.name}" proxyPort="${toString cfg.proxy.port}" scheme="${cfg.proxy.scheme}" secure="${boolToString cfg.proxy.secure}",' \ -e 's,compression="on",compression="off" protocol="HTTP/1.1" proxyName="${cfg.proxy.name}" proxyPort="${toString cfg.proxy.port}" scheme="${cfg.proxy.scheme}" secure="${boolToString cfg.proxy.secure}",' \
@ -153,7 +157,6 @@ in
User = cfg.user; User = cfg.user;
Group = cfg.group; Group = cfg.group;
PrivateTmp = true; PrivateTmp = true;
PermissionsStartOnly = true;
ExecStart = "${pkg}/start_crowd.sh -fg"; ExecStart = "${pkg}/start_crowd.sh -fg";
}; };
}; };

View File

@ -155,6 +155,17 @@ in
users.groups."${cfg.group}" = {}; users.groups."${cfg.group}" = {};
systemd.tmpfiles.rules = [
"d '${cfg.home}' - ${cfg.user} - - -"
"d /run/atlassian-jira - - - - -"
"L+ /run/atlassian-jira/home - - - - ${cfg.home}"
"L+ /run/atlassian-jira/logs - - - - ${cfg.home}/logs"
"L+ /run/atlassian-jira/work - - - - ${cfg.home}/work"
"L+ /run/atlassian-jira/temp - - - - ${cfg.home}/temp"
"L+ /run/atlassian-jira/server.xml - - - - ${cfg.home}/server.xml"
];
systemd.services.atlassian-jira = { systemd.services.atlassian-jira = {
description = "Atlassian JIRA"; description = "Atlassian JIRA";
@ -174,12 +185,6 @@ in
preStart = '' preStart = ''
mkdir -p ${cfg.home}/{logs,work,temp,deploy} mkdir -p ${cfg.home}/{logs,work,temp,deploy}
mkdir -p /run/atlassian-jira
ln -sf ${cfg.home}/{logs,work,temp,server.xml} /run/atlassian-jira
ln -sf ${cfg.home} /run/atlassian-jira/home
chown ${cfg.user} ${cfg.home}
sed -e 's,port="8080",port="${toString cfg.listenPort}" address="${cfg.listenAddress}",' \ sed -e 's,port="8080",port="${toString cfg.listenPort}" address="${cfg.listenAddress}",' \
'' + (lib.optionalString cfg.proxy.enable '' '' + (lib.optionalString cfg.proxy.enable ''
-e 's,protocol="HTTP/1.1",protocol="HTTP/1.1" proxyName="${cfg.proxy.name}" proxyPort="${toString cfg.proxy.port}" scheme="${cfg.proxy.scheme}" secure="${toString cfg.proxy.secure}",' \ -e 's,protocol="HTTP/1.1",protocol="HTTP/1.1" proxyName="${cfg.proxy.name}" proxyPort="${toString cfg.proxy.port}" scheme="${cfg.proxy.scheme}" secure="${toString cfg.proxy.secure}",' \
@ -191,7 +196,6 @@ in
User = cfg.user; User = cfg.user;
Group = cfg.group; Group = cfg.group;
PrivateTmp = true; PrivateTmp = true;
PermissionsStartOnly = true;
ExecStart = "${pkg}/bin/start-jira.sh -fg"; ExecStart = "${pkg}/bin/start-jira.sh -fg";
ExecStop = "${pkg}/bin/stop-jira.sh"; ExecStop = "${pkg}/bin/stop-jira.sh";
}; };

View File

@ -182,16 +182,16 @@ in
users.groups = [ { name = cfg.group; } ]; users.groups = [ { name = cfg.group; } ];
systemd.tmpfiles.rules = [
"d '${cfg.statePath}/system/attachments' - ${cfg.user} ${cfg.group} - -"
];
systemd.services.frab = { systemd.services.frab = {
after = [ "network.target" "gitlab.service" ]; after = [ "network.target" "gitlab.service" ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
environment = frabEnv; environment = frabEnv;
preStart = '' preStart = ''
mkdir -p ${cfg.statePath}/system/attachments
chown ${cfg.user}:${cfg.group} -R ${cfg.statePath}
mkdir /run/frab -p
ln -sf ${pkgs.writeText "frab-database.yml" databaseConfig} /run/frab/database.yml ln -sf ${pkgs.writeText "frab-database.yml" databaseConfig} /run/frab/database.yml
ln -sf ${cfg.statePath}/system /run/frab/system ln -sf ${cfg.statePath}/system /run/frab/system
@ -204,7 +204,6 @@ in
''; '';
serviceConfig = { serviceConfig = {
PermissionsStartOnly = true;
PrivateTmp = true; PrivateTmp = true;
PrivateDevices = true; PrivateDevices = true;
Type = "simple"; Type = "simple";
@ -213,6 +212,7 @@ in
TimeoutSec = "300s"; TimeoutSec = "300s";
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "10s"; RestartSec = "10s";
RuntimeDirectory = "frab";
WorkingDirectory = "${package}/share/frab"; WorkingDirectory = "${package}/share/frab";
ExecStart = "${frab-rake}/bin/frab-bundle exec rails server " + ExecStart = "${frab-rake}/bin/frab-bundle exec rails server " +
"--binding=${cfg.listenAddress} --port=${toString cfg.listenPort}"; "--binding=${cfg.listenAddress} --port=${toString cfg.listenPort}";