From a1c48c3f630813046bc022493bf60d5bb9097d10 Mon Sep 17 00:00:00 2001
From: Aaron Andersen <aaron@fosslib.net>
Date: Sun, 24 Feb 2019 07:53:36 -0500
Subject: nixos/vault: replace deprecated usage of PermissionsStartOnly see
 https://github.com/NixOS/nixpkgs/issues/53852

---
 nixos/modules/services/security/vault.nix | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

(limited to 'nixos/modules/services/security')

diff --git a/nixos/modules/services/security/vault.nix b/nixos/modules/services/security/vault.nix
index 0b28bc89445..8176c168ca9 100644
--- a/nixos/modules/services/security/vault.nix
+++ b/nixos/modules/services/security/vault.nix
@@ -119,6 +119,10 @@ in
     };
     users.groups.vault.gid = config.ids.gids.vault;
 
+    systemd.tmpfiles.rules = optional (cfg.storagePath != null) [
+      "d '${cfg.storagePath}' 0700 vault vault - -"
+    ];
+
     systemd.services.vault = {
       description = "Vault server daemon";
 
@@ -128,14 +132,9 @@ in
 
       restartIfChanged = false; # do not restart on "nixos-rebuild switch". It would seal the storage and disrupt the clients.
 
-      preStart = optionalString (cfg.storagePath != null) ''
-        install -d -m0700 -o vault -g vault "${cfg.storagePath}"
-      '';
-
       serviceConfig = {
         User = "vault";
         Group = "vault";
-        PermissionsStartOnly = true;
         ExecStart = "${cfg.package}/bin/vault server -config ${configFile}";
         PrivateDevices = true;
         PrivateTmp = true;
-- 
cgit 1.4.1