diff options
| author | Florian Jacob <projects+git@florianjacob.de> | 2019-04-13 22:08:43 +0200 |
|---|---|---|
| committer | Florian Jacob <projects+git@florianjacob.de> | 2019-04-24 21:26:29 +0200 |
| commit | e916cdf02de684c963b65cbd07df78031ddc54a0 (patch) | |
| tree | f0080cede237009e0a4b9586d1c3628c5fcf99cd | |
| parent | 68c6f3f27e7427774f30c65f0e06101acfd73797 (diff) | |
| download | nixpkgs-e916cdf02de684c963b65cbd07df78031ddc54a0.tar nixpkgs-e916cdf02de684c963b65cbd07df78031ddc54a0.tar.gz nixpkgs-e916cdf02de684c963b65cbd07df78031ddc54a0.tar.bz2 nixpkgs-e916cdf02de684c963b65cbd07df78031ddc54a0.tar.lz nixpkgs-e916cdf02de684c963b65cbd07df78031ddc54a0.tar.xz nixpkgs-e916cdf02de684c963b65cbd07df78031ddc54a0.tar.zst nixpkgs-e916cdf02de684c963b65cbd07df78031ddc54a0.zip | |
nixos/journalwatch: permissionsStartOnly is deprecated
See #53852 for details, related to the efforts in #56265
| -rw-r--r-- | nixos/modules/services/logging/journalwatch.nix | 42 |
1 files changed, 30 insertions, 12 deletions
diff --git a/nixos/modules/services/logging/journalwatch.nix b/nixos/modules/services/logging/journalwatch.nix index d0824df38ae..576c646c0f5 100644 --- a/nixos/modules/services/logging/journalwatch.nix +++ b/nixos/modules/services/logging/journalwatch.nix @@ -4,6 +4,8 @@ with lib; let cfg = config.services.journalwatch; user = "journalwatch"; + # for journal access + group = "systemd-journal"; dataDir = "/var/lib/${user}"; journalwatchConfig = pkgs.writeText "config" ('' @@ -31,6 +33,17 @@ let '') filterBlocks); + # can't use joinSymlinks directly, because when we point $XDG_CONFIG_HOME + # to the /nix/store path, we still need the subdirectory "journalwatch" inside that + # to match journalwatch's expectations + journalwatchConfigDir = pkgs.runCommand "journalwatch-config" + { preferLocalBuild = true; allowSubstitutes = false; } + '' + mkdir -p $out/journalwatch + ln -sf ${journalwatchConfig} $out/journalwatch/config + ln -sf ${journalwatchPatterns} $out/journalwatch/patterns + ''; + in { options = { @@ -199,33 +212,38 @@ in { users.users.${user} = { isSystemUser = true; - createHome = true; home = dataDir; - # for journal access - group = "systemd-journal"; + group = group; }; + systemd.tmpfiles.rules = [ + # present since NixOS 19.09: remove old stateful symlink join directory, + # which has been replaced with the journalwatchConfigDir store path + "R ${dataDir}/config" + ]; + systemd.services.journalwatch = { + environment = { + # journalwatch stores the last processed timpestamp here + # the share subdirectory is historic now that config home lives in /nix/store, + # but moving this in a backwards-compatible way is much more work than what's justified + # for cleaning that up. XDG_DATA_HOME = "${dataDir}/share"; - XDG_CONFIG_HOME = "${dataDir}/config"; + XDG_CONFIG_HOME = journalwatchConfigDir; }; serviceConfig = { User = user; + Group = group; Type = "oneshot"; - PermissionsStartOnly = true; + # requires a relative directory name to create beneath /var/lib + StateDirectory = user; + StateDirectoryMode = 0750; ExecStart = "${pkgs.python3Packages.journalwatch}/bin/journalwatch mail"; # lowest CPU and IO priority, but both still in best-effort class to prevent starvation Nice=19; IOSchedulingPriority=7; }; - preStart = '' - chown -R ${user}:systemd-journal ${dataDir} - chmod -R u+rwX,go-w ${dataDir} - mkdir -p ${dataDir}/config/journalwatch - ln -sf ${journalwatchConfig} ${dataDir}/config/journalwatch/config - ln -sf ${journalwatchPatterns} ${dataDir}/config/journalwatch/patterns - ''; }; systemd.timers.journalwatch = { |