nixos/spamassassin: Simplify services by using StateDirectory

Let systemd create SpamAssassin's state directory and populate it using the regular updater service. Depend on the updater service on boot but do not propagate failure to the main service. spamd's commands to start and reload the service are still executed as root but user/group are set to properly chown the state directory to the target user. spamd drops privileges itself for its runner children but preserves root on the main daemon (to listen and re-exec).
2021-01-01 19:56:52 +01:00 · 2021-01-01 19:56:52 +01:00 · 624cc51bad
commit 624cc51bad
parent 1db74d1150
1 changed files with 17 additions and 41 deletions
--- a/nixos/modules/services/mail/spamassassin.nix
+++ b/nixos/modules/services/mail/spamassassin.nix
@ -126,22 +126,19 @@ in
    };

    systemd.services.sa-update = {
+      # Needs to be able to contact the update server.
      wants = [ "network-online.target" ];
      after = [ "network-online.target" ];
-      script = ''
-        set +e
-        ${pkgs.su}/bin/su -s "${pkgs.bash}/bin/bash" -c "${pkgs.spamassassin}/bin/sa-update --gpghomedir=/var/lib/spamassassin/sa-update-keys/" spamd

-        v=$?
-        set -e
-        if [ $v -gt 1 ]; then
-          echo "sa-update execution error"
-          exit $v
-        fi
-        if [ $v -eq 0 ]; then
-          systemctl reload spamd.service
-        fi
-      '';
+      serviceConfig = {
+        Type = "oneshot";
+        User = "spamd";
+        Group = "spamd";
+        StateDirectory = "spamassassin";
+        ExecStart = "${pkgs.spamassassin}/bin/sa-update --verbose --gpghomedir=%S/spamassassin/sa-update-keys/";
+        ExecStartPost = "+${pkgs.systemd}/bin/systemctl -q --no-block try-reload-or-restart spamd.service";
+        SuccessExitStatus = "1";
+      };
    };

    systemd.timers.sa-update = {
@ -154,43 +151,22 @@ in
      };
    };

-    systemd.services.spamd-init = {
-      serviceConfig = {
-        Type = "oneshot";
-      };
-      script = ''
-        mkdir -p /var/lib/spamassassin
-        chown spamd:spamd /var/lib/spamassassin -R
-        if [ "$(ls -A /var/lib/spamassassin)" = "" ]; then
-          echo "'/var/lib/spamassassin' is empty, running sa-update..."
-          set +e
-          ${pkgs.su}/bin/su -s "${pkgs.bash}/bin/bash" -c "${pkgs.spamassassin}/bin/sa-update --gpghomedir=/var/lib/spamassassin/sa-update-keys/" spamd
-          v=$?
-          set -e
-          # 0 and 1 no error, exitcode > 1 means error:
-          # https://spamassassin.apache.org/full/3.1.x/doc/sa-update.html#exit_codes
-          if [ $v -gt 1 ]; then
-            echo "sa-update execution error"
-            exit $v
-          fi
-          echo "sa-update run successfully."
-        fi
-      '';
-    };
-
    systemd.services.spamd = {
      description = "SpamAssassin Server";

      wantedBy = [ "multi-user.target" ];
-      wants = [ "spamd-init.service" ];
+      wants = [ "sa-update.service" ];
      after = [
        "network.target"
-        "spamd-init.service"
+        "sa-update.service"
      ];

      serviceConfig = {
-        ExecStart = "${pkgs.spamassassin}/bin/spamd ${optionalString cfg.debug "-D"} --username=spamd --groupname=spamd --virtual-config-dir=/var/lib/spamassassin/user-%u --allow-tell --pidfile=/run/spamd.pid";
-        ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
+        User = "spamd";
+        Group = "spamd";
+        ExecStart = "+${pkgs.spamassassin}/bin/spamd ${optionalString cfg.debug "-D"} --username=spamd --groupname=spamd --virtual-config-dir=%S/spamassassin/user-%u --allow-tell --pidfile=/run/spamd.pid";
+        ExecReload = "+${pkgs.coreutils}/bin/kill -HUP $MAINPID";
+        StateDirectory = "spamassassin";
      };
    };
  };