From 624cc51badb6b3b6aff2ebc7cf8a7243edcc0a0d Mon Sep 17 00:00:00 2001 From: Philipp Kern Date: Fri, 1 Jan 2021 19:56:52 +0100 Subject: [PATCH] nixos/spamassassin: Simplify services by using StateDirectory Let systemd create SpamAssassin's state directory and populate it using the regular updater service. Depend on the updater service on boot but do not propagate failure to the main service. spamd's commands to start and reload the service are still executed as root but user/group are set to properly chown the state directory to the target user. spamd drops privileges itself for its runner children but preserves root on the main daemon (to listen and re-exec). --- nixos/modules/services/mail/spamassassin.nix | 58 ++++++-------------- 1 file changed, 17 insertions(+), 41 deletions(-) diff --git a/nixos/modules/services/mail/spamassassin.nix b/nixos/modules/services/mail/spamassassin.nix index 0bbf2df48d40..98d9e925dcd7 100644 --- a/nixos/modules/services/mail/spamassassin.nix +++ b/nixos/modules/services/mail/spamassassin.nix @@ -126,22 +126,19 @@ in }; systemd.services.sa-update = { + # Needs to be able to contact the update server. wants = [ "network-online.target" ]; after = [ "network-online.target" ]; - script = '' - set +e - ${pkgs.su}/bin/su -s "${pkgs.bash}/bin/bash" -c "${pkgs.spamassassin}/bin/sa-update --gpghomedir=/var/lib/spamassassin/sa-update-keys/" spamd - v=$? - set -e - if [ $v -gt 1 ]; then - echo "sa-update execution error" - exit $v - fi - if [ $v -eq 0 ]; then - systemctl reload spamd.service - fi - ''; + serviceConfig = { + Type = "oneshot"; + User = "spamd"; + Group = "spamd"; + StateDirectory = "spamassassin"; + ExecStart = "${pkgs.spamassassin}/bin/sa-update --verbose --gpghomedir=%S/spamassassin/sa-update-keys/"; + ExecStartPost = "+${pkgs.systemd}/bin/systemctl -q --no-block try-reload-or-restart spamd.service"; + SuccessExitStatus = "1"; + }; }; systemd.timers.sa-update = { @@ -154,43 +151,22 @@ in }; }; - systemd.services.spamd-init = { - serviceConfig = { - Type = "oneshot"; - }; - script = '' - mkdir -p /var/lib/spamassassin - chown spamd:spamd /var/lib/spamassassin -R - if [ "$(ls -A /var/lib/spamassassin)" = "" ]; then - echo "'/var/lib/spamassassin' is empty, running sa-update..." - set +e - ${pkgs.su}/bin/su -s "${pkgs.bash}/bin/bash" -c "${pkgs.spamassassin}/bin/sa-update --gpghomedir=/var/lib/spamassassin/sa-update-keys/" spamd - v=$? - set -e - # 0 and 1 no error, exitcode > 1 means error: - # https://spamassassin.apache.org/full/3.1.x/doc/sa-update.html#exit_codes - if [ $v -gt 1 ]; then - echo "sa-update execution error" - exit $v - fi - echo "sa-update run successfully." - fi - ''; - }; - systemd.services.spamd = { description = "SpamAssassin Server"; wantedBy = [ "multi-user.target" ]; - wants = [ "spamd-init.service" ]; + wants = [ "sa-update.service" ]; after = [ "network.target" - "spamd-init.service" + "sa-update.service" ]; serviceConfig = { - ExecStart = "${pkgs.spamassassin}/bin/spamd ${optionalString cfg.debug "-D"} --username=spamd --groupname=spamd --virtual-config-dir=/var/lib/spamassassin/user-%u --allow-tell --pidfile=/run/spamd.pid"; - ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + User = "spamd"; + Group = "spamd"; + ExecStart = "+${pkgs.spamassassin}/bin/spamd ${optionalString cfg.debug "-D"} --username=spamd --groupname=spamd --virtual-config-dir=%S/spamassassin/user-%u --allow-tell --pidfile=/run/spamd.pid"; + ExecReload = "+${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + StateDirectory = "spamassassin"; }; }; };