nixos/journalwatch: permissionsStartOnly is deprecated

See #53852 for details,
related to the efforts in #56265
This commit is contained in:
Florian Jacob 2019-04-13 22:08:43 +02:00
parent 68c6f3f27e
commit e916cdf02d

View File

@ -4,6 +4,8 @@ with lib;
let let
cfg = config.services.journalwatch; cfg = config.services.journalwatch;
user = "journalwatch"; user = "journalwatch";
# for journal access
group = "systemd-journal";
dataDir = "/var/lib/${user}"; dataDir = "/var/lib/${user}";
journalwatchConfig = pkgs.writeText "config" ('' journalwatchConfig = pkgs.writeText "config" (''
@ -31,6 +33,17 @@ let
'') filterBlocks); '') filterBlocks);
# can't use joinSymlinks directly, because when we point $XDG_CONFIG_HOME
# to the /nix/store path, we still need the subdirectory "journalwatch" inside that
# to match journalwatch's expectations
journalwatchConfigDir = pkgs.runCommand "journalwatch-config"
{ preferLocalBuild = true; allowSubstitutes = false; }
''
mkdir -p $out/journalwatch
ln -sf ${journalwatchConfig} $out/journalwatch/config
ln -sf ${journalwatchPatterns} $out/journalwatch/patterns
'';
in { in {
options = { options = {
@ -199,33 +212,38 @@ in {
users.users.${user} = { users.users.${user} = {
isSystemUser = true; isSystemUser = true;
createHome = true;
home = dataDir; home = dataDir;
# for journal access group = group;
group = "systemd-journal";
}; };
systemd.tmpfiles.rules = [
# present since NixOS 19.09: remove old stateful symlink join directory,
# which has been replaced with the journalwatchConfigDir store path
"R ${dataDir}/config"
];
systemd.services.journalwatch = { systemd.services.journalwatch = {
environment = { environment = {
# journalwatch stores the last processed timpestamp here
# the share subdirectory is historic now that config home lives in /nix/store,
# but moving this in a backwards-compatible way is much more work than what's justified
# for cleaning that up.
XDG_DATA_HOME = "${dataDir}/share"; XDG_DATA_HOME = "${dataDir}/share";
XDG_CONFIG_HOME = "${dataDir}/config"; XDG_CONFIG_HOME = journalwatchConfigDir;
}; };
serviceConfig = { serviceConfig = {
User = user; User = user;
Group = group;
Type = "oneshot"; Type = "oneshot";
PermissionsStartOnly = true; # requires a relative directory name to create beneath /var/lib
StateDirectory = user;
StateDirectoryMode = 0750;
ExecStart = "${pkgs.python3Packages.journalwatch}/bin/journalwatch mail"; ExecStart = "${pkgs.python3Packages.journalwatch}/bin/journalwatch mail";
# lowest CPU and IO priority, but both still in best-effort class to prevent starvation # lowest CPU and IO priority, but both still in best-effort class to prevent starvation
Nice=19; Nice=19;
IOSchedulingPriority=7; IOSchedulingPriority=7;
}; };
preStart = ''
chown -R ${user}:systemd-journal ${dataDir}
chmod -R u+rwX,go-w ${dataDir}
mkdir -p ${dataDir}/config/journalwatch
ln -sf ${journalwatchConfig} ${dataDir}/config/journalwatch/config
ln -sf ${journalwatchPatterns} ${dataDir}/config/journalwatch/patterns
'';
}; };
systemd.timers.journalwatch = { systemd.timers.journalwatch = {