diff options
| author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-05-12 14:33:46 +0200 |
|---|---|---|
| committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-05-12 14:33:46 +0200 |
| commit | 81b9ff8980a9a235b8915b5779ebc1d2a738a9a3 (patch) | |
| tree | cd9d52274331a37f58048c836f8cf015e1f78c83 | |
| parent | b92abb02739e04df9996f31dd4f30c793b190c7a (diff) | |
| download | Nix-81b9ff8980a9a235b8915b5779ebc1d2a738a9a3.tar.gz Nix-81b9ff8980a9a235b8915b5779ebc1d2a738a9a3.tar.zst Nix-81b9ff8980a9a235b8915b5779ebc1d2a738a9a3.zip | |
Use systemd RuntimeDirectory and StateDirectory entries to ensure runtime directory existence in apps
| -rw-r--r-- | modules/webapps/diaspora.nix | 28 | ||||
| -rw-r--r-- | modules/webapps/mastodon.nix | 32 | ||||
| -rw-r--r-- | modules/webapps/mediagoblin.nix | 26 | ||||
| -rw-r--r-- | nixops/modules/buildbot/default.nix | 9 | ||||
| -rw-r--r-- | nixops/modules/databases/redis.nix | 8 | ||||
| -rw-r--r-- | nixops/modules/mpd.nix | 4 | ||||
| -rw-r--r-- | nixops/modules/task/default.nix | 12 |
7 files changed, 92 insertions, 27 deletions
diff --git a/modules/webapps/diaspora.nix b/modules/webapps/diaspora.nix index 8451c6d..2266332 100644 --- a/modules/webapps/diaspora.nix +++ b/modules/webapps/diaspora.nix | |||
| @@ -52,6 +52,26 @@ in | |||
| 52 | ''; | 52 | ''; |
| 53 | }; | 53 | }; |
| 54 | # Output variables | 54 | # Output variables |
| 55 | systemdStateDirectory = lib.mkOption { | ||
| 56 | type = lib.types.str; | ||
| 57 | # Use ReadWritePaths= instead if varDir is outside of /var/lib | ||
| 58 | default = assert lib.strings.hasPrefix "/var/lib/" cfg.dataDir; | ||
| 59 | lib.strings.removePrefix "/var/lib/" cfg.dataDir; | ||
| 60 | description = '' | ||
| 61 | Adjusted Diaspora data directory for systemd | ||
| 62 | ''; | ||
| 63 | readOnly = true; | ||
| 64 | }; | ||
| 65 | systemdRuntimeDirectory = lib.mkOption { | ||
| 66 | type = lib.types.str; | ||
| 67 | # Use ReadWritePaths= instead if socketsDir is outside of /run | ||
| 68 | default = assert lib.strings.hasPrefix "/run/" cfg.socketsDir; | ||
| 69 | lib.strings.removePrefix "/run/" cfg.socketsDir; | ||
| 70 | description = '' | ||
| 71 | Adjusted Diaspora sockets directory for systemd | ||
| 72 | ''; | ||
| 73 | readOnly = true; | ||
| 74 | }; | ||
| 55 | workdir = lib.mkOption { | 75 | workdir = lib.mkOption { |
| 56 | type = lib.types.package; | 76 | type = lib.types.package; |
| 57 | default = cfg.package.override { | 77 | default = cfg.package.override { |
| @@ -134,6 +154,8 @@ in | |||
| 134 | Restart = "always"; | 154 | Restart = "always"; |
| 135 | Type = "simple"; | 155 | Type = "simple"; |
| 136 | WorkingDirectory = cfg.workdir; | 156 | WorkingDirectory = cfg.workdir; |
| 157 | StateDirectory = cfg.systemdStateDirectory; | ||
| 158 | RuntimeDirectory = cfg.systemdRuntimeDirectory; | ||
| 137 | StandardInput = "null"; | 159 | StandardInput = "null"; |
| 138 | KillMode = "control-group"; | 160 | KillMode = "control-group"; |
| 139 | }; | 161 | }; |
| @@ -144,10 +166,8 @@ in | |||
| 144 | system.activationScripts.diaspora = { | 166 | system.activationScripts.diaspora = { |
| 145 | deps = [ "users" ]; | 167 | deps = [ "users" ]; |
| 146 | text = '' | 168 | text = '' |
| 147 | install -m 0755 -o ${cfg.user} -g ${cfg.group} -d ${cfg.socketsDir} | 169 | install -m 0755 -o ${cfg.user} -g ${cfg.group} -d ${cfg.dataDir}/uploads \ |
| 148 | install -m 0755 -o ${cfg.user} -g ${cfg.group} -d ${cfg.dataDir} \ | 170 | ${cfg.dataDir}/tmp ${cfg.dataDir}/log |
| 149 | ${cfg.dataDir}/uploads ${cfg.dataDir}/tmp \ | ||
| 150 | ${cfg.dataDir}/log | ||
| 151 | install -m 0700 -o ${cfg.user} -g ${cfg.group} -d ${cfg.dataDir}/tmp/pids | 171 | install -m 0700 -o ${cfg.user} -g ${cfg.group} -d ${cfg.dataDir}/tmp/pids |
| 152 | if [ ! -f ${cfg.dataDir}/schedule.yml ]; then | 172 | if [ ! -f ${cfg.dataDir}/schedule.yml ]; then |
| 153 | echo "{}" | $wrapperDir/sudo -u ${cfg.user} tee ${cfg.dataDir}/schedule.yml | 173 | echo "{}" | $wrapperDir/sudo -u ${cfg.user} tee ${cfg.dataDir}/schedule.yml |
diff --git a/modules/webapps/mastodon.nix b/modules/webapps/mastodon.nix index ad6d0c3..f8fbcba 100644 --- a/modules/webapps/mastodon.nix +++ b/modules/webapps/mastodon.nix | |||
| @@ -62,6 +62,26 @@ in | |||
| 62 | ''; | 62 | ''; |
| 63 | readOnly = true; | 63 | readOnly = true; |
| 64 | }; | 64 | }; |
| 65 | systemdStateDirectory = lib.mkOption { | ||
| 66 | type = lib.types.str; | ||
| 67 | # Use ReadWritePaths= instead if varDir is outside of /var/lib | ||
| 68 | default = assert lib.strings.hasPrefix "/var/lib/" cfg.dataDir; | ||
| 69 | lib.strings.removePrefix "/var/lib/" cfg.dataDir; | ||
| 70 | description = '' | ||
| 71 | Adjusted Mastodon data directory for systemd | ||
| 72 | ''; | ||
| 73 | readOnly = true; | ||
| 74 | }; | ||
| 75 | systemdRuntimeDirectory = lib.mkOption { | ||
| 76 | type = lib.types.str; | ||
| 77 | # Use ReadWritePaths= instead if socketsDir is outside of /run | ||
| 78 | default = assert lib.strings.hasPrefix "/run/" cfg.socketsDir; | ||
| 79 | lib.strings.removePrefix "/run/" cfg.socketsDir; | ||
| 80 | description = '' | ||
| 81 | Adjusted Mastodon sockets directory for systemd | ||
| 82 | ''; | ||
| 83 | readOnly = true; | ||
| 84 | }; | ||
| 65 | sockets = lib.mkOption { | 85 | sockets = lib.mkOption { |
| 66 | type = lib.types.attrsOf lib.types.path; | 86 | type = lib.types.attrsOf lib.types.path; |
| 67 | default = { | 87 | default = { |
| @@ -122,6 +142,9 @@ in | |||
| 122 | TimeoutSec = 15; | 142 | TimeoutSec = 15; |
| 123 | Type = "simple"; | 143 | Type = "simple"; |
| 124 | WorkingDirectory = cfg.workdir; | 144 | WorkingDirectory = cfg.workdir; |
| 145 | StateDirectory = cfg.systemdStateDirectory; | ||
| 146 | RuntimeDirectory = cfg.systemdRuntimeDirectory; | ||
| 147 | RuntimeDirectoryPreserve = "yes"; | ||
| 125 | }; | 148 | }; |
| 126 | 149 | ||
| 127 | unitConfig.RequiresMountsFor = cfg.dataDir; | 150 | unitConfig.RequiresMountsFor = cfg.dataDir; |
| @@ -155,6 +178,9 @@ in | |||
| 155 | TimeoutSec = 60; | 178 | TimeoutSec = 60; |
| 156 | Type = "simple"; | 179 | Type = "simple"; |
| 157 | WorkingDirectory = cfg.workdir; | 180 | WorkingDirectory = cfg.workdir; |
| 181 | StateDirectory = cfg.systemdStateDirectory; | ||
| 182 | RuntimeDirectory = cfg.systemdRuntimeDirectory; | ||
| 183 | RuntimeDirectoryPreserve = "yes"; | ||
| 158 | }; | 184 | }; |
| 159 | 185 | ||
| 160 | unitConfig.RequiresMountsFor = cfg.dataDir; | 186 | unitConfig.RequiresMountsFor = cfg.dataDir; |
| @@ -184,6 +210,9 @@ in | |||
| 184 | TimeoutSec = 15; | 210 | TimeoutSec = 15; |
| 185 | Type = "simple"; | 211 | Type = "simple"; |
| 186 | WorkingDirectory = cfg.workdir; | 212 | WorkingDirectory = cfg.workdir; |
| 213 | StateDirectory = cfg.systemdStateDirectory; | ||
| 214 | RuntimeDirectory = cfg.systemdRuntimeDirectory; | ||
| 215 | RuntimeDirectoryPreserve = "yes"; | ||
| 187 | }; | 216 | }; |
| 188 | 217 | ||
| 189 | unitConfig.RequiresMountsFor = cfg.dataDir; | 218 | unitConfig.RequiresMountsFor = cfg.dataDir; |
| @@ -192,8 +221,7 @@ in | |||
| 192 | system.activationScripts.mastodon = { | 221 | system.activationScripts.mastodon = { |
| 193 | deps = [ "users" ]; | 222 | deps = [ "users" ]; |
| 194 | text = '' | 223 | text = '' |
| 195 | install -m 0755 -o ${cfg.user} -g ${cfg.group} -d ${cfg.socketsDir} | 224 | install -m 0755 -o ${cfg.user} -g ${cfg.group} -d ${cfg.dataDir}/tmp/cache |
| 196 | install -m 0755 -o ${cfg.user} -g ${cfg.group} -d ${cfg.dataDir} ${cfg.dataDir}/tmp/cache | ||
| 197 | ''; | 225 | ''; |
| 198 | }; | 226 | }; |
| 199 | 227 | ||
diff --git a/modules/webapps/mediagoblin.nix b/modules/webapps/mediagoblin.nix index 0232aab..5753457 100644 --- a/modules/webapps/mediagoblin.nix +++ b/modules/webapps/mediagoblin.nix | |||
| @@ -107,6 +107,26 @@ in | |||
| 107 | ''; | 107 | ''; |
| 108 | readOnly = true; | 108 | readOnly = true; |
| 109 | }; | 109 | }; |
| 110 | systemdStateDirectory = lib.mkOption { | ||
| 111 | type = lib.types.str; | ||
| 112 | # Use ReadWritePaths= instead if varDir is outside of /var/lib | ||
| 113 | default = assert lib.strings.hasPrefix "/var/lib/" cfg.dataDir; | ||
| 114 | lib.strings.removePrefix "/var/lib/" cfg.dataDir; | ||
| 115 | description = '' | ||
| 116 | Adjusted Mediagoblin data directory for systemd | ||
| 117 | ''; | ||
| 118 | readOnly = true; | ||
| 119 | }; | ||
| 120 | systemdRuntimeDirectory = lib.mkOption { | ||
| 121 | type = lib.types.str; | ||
| 122 | # Use ReadWritePaths= instead if socketsDir is outside of /run | ||
| 123 | default = assert lib.strings.hasPrefix "/run/" cfg.socketsDir; | ||
| 124 | lib.strings.removePrefix "/run/" cfg.socketsDir; | ||
| 125 | description = '' | ||
| 126 | Adjusted Mediagoblin sockets directory for systemd | ||
| 127 | ''; | ||
| 128 | readOnly = true; | ||
| 129 | }; | ||
| 110 | sockets = lib.mkOption { | 130 | sockets = lib.mkOption { |
| 111 | type = lib.types.attrsOf lib.types.path; | 131 | type = lib.types.attrsOf lib.types.path; |
| 112 | default = { | 132 | default = { |
| @@ -173,6 +193,8 @@ in | |||
| 173 | TimeoutSec = 15; | 193 | TimeoutSec = 15; |
| 174 | Type = "simple"; | 194 | Type = "simple"; |
| 175 | WorkingDirectory = cfg.workdir; | 195 | WorkingDirectory = cfg.workdir; |
| 196 | RuntimeDirectory = cfg.systemdRuntimeDirectory; | ||
| 197 | StateDirectory= cfg.systemdStateDirectory; | ||
| 176 | PIDFile = cfg.pids.paster; | 198 | PIDFile = cfg.pids.paster; |
| 177 | }; | 199 | }; |
| 178 | 200 | ||
| @@ -200,6 +222,8 @@ in | |||
| 200 | TimeoutSec = 60; | 222 | TimeoutSec = 60; |
| 201 | Type = "simple"; | 223 | Type = "simple"; |
| 202 | WorkingDirectory = cfg.workdir; | 224 | WorkingDirectory = cfg.workdir; |
| 225 | RuntimeDirectory = cfg.systemdRuntimeDirectory; | ||
| 226 | StateDirectory= cfg.systemdStateDirectory; | ||
| 203 | PIDFile = cfg.pids.celery; | 227 | PIDFile = cfg.pids.celery; |
| 204 | }; | 228 | }; |
| 205 | 229 | ||
| @@ -209,8 +233,6 @@ in | |||
| 209 | system.activationScripts.mediagoblin = { | 233 | system.activationScripts.mediagoblin = { |
| 210 | deps = [ "users" ]; | 234 | deps = [ "users" ]; |
| 211 | text = '' | 235 | text = '' |
| 212 | install -m 0755 -o ${cfg.user} -g ${cfg.group} -d ${cfg.socketsDir} | ||
| 213 | install -m 0755 -o ${cfg.user} -g ${cfg.group} -d ${cfg.dataDir} | ||
| 214 | if [ -d ${cfg.dataDir}/plugin_static/ ]; then | 236 | if [ -d ${cfg.dataDir}/plugin_static/ ]; then |
| 215 | rm ${cfg.dataDir}/plugin_static/coreplugin_basic_auth | 237 | rm ${cfg.dataDir}/plugin_static/coreplugin_basic_auth |
| 216 | ln -sf ${cfg.workdir}/mediagoblin/plugins/basic_auth/static ${cfg.dataDir}/plugin_static/coreplugin_basic_auth | 238 | ln -sf ${cfg.workdir}/mediagoblin/plugins/basic_auth/static ${cfg.dataDir}/plugin_static/coreplugin_basic_auth |
diff --git a/nixops/modules/buildbot/default.nix b/nixops/modules/buildbot/default.nix index d7dd479..c812af9 100644 --- a/nixops/modules/buildbot/default.nix +++ b/nixops/modules/buildbot/default.nix | |||
| @@ -61,11 +61,7 @@ in | |||
| 61 | 61 | ||
| 62 | system.activationScripts = lib.attrsets.mapAttrs' (k: project: lib.attrsets.nameValuePair "buildbot-${project.name}" { | 62 | system.activationScripts = lib.attrsets.mapAttrs' (k: project: lib.attrsets.nameValuePair "buildbot-${project.name}" { |
| 63 | deps = [ "users" "wrappers" ]; | 63 | deps = [ "users" "wrappers" ]; |
| 64 | text = '' | 64 | text = project.activationScript; |
| 65 | install -m 0755 -o buildbot -g buildbot -d /run/buildbot/ | ||
| 66 | install -m 0755 -o buildbot -g buildbot -d ${varDir} | ||
| 67 | ${project.activationScript} | ||
| 68 | ''; | ||
| 69 | }) myconfig.env.buildbot.projects; | 65 | }) myconfig.env.buildbot.projects; |
| 70 | 66 | ||
| 71 | secrets.keys = ( | 67 | secrets.keys = ( |
| @@ -190,6 +186,9 @@ in | |||
| 190 | Type = "forking"; | 186 | Type = "forking"; |
| 191 | User = "buildbot"; | 187 | User = "buildbot"; |
| 192 | Group = "buildbot"; | 188 | Group = "buildbot"; |
| 189 | RuntimeDirectory = "buildbot"; | ||
| 190 | RuntimeDirectoryPreserve = "yes"; | ||
| 191 | StateDirectory = "buildbot"; | ||
| 193 | SupplementaryGroups = "keys"; | 192 | SupplementaryGroups = "keys"; |
| 194 | WorkingDirectory = "${varDir}/${project.name}"; | 193 | WorkingDirectory = "${varDir}/${project.name}"; |
| 195 | ExecStart = "${buildbot}/bin/buildbot start"; | 194 | ExecStart = "${buildbot}/bin/buildbot start"; |
diff --git a/nixops/modules/databases/redis.nix b/nixops/modules/databases/redis.nix index a0917df..75c69a6 100644 --- a/nixops/modules/databases/redis.nix +++ b/nixops/modules/databases/redis.nix | |||
| @@ -27,11 +27,9 @@ in { | |||
| 27 | maxclients 1024 | 27 | maxclients 1024 |
| 28 | ''; | 28 | ''; |
| 29 | }; | 29 | }; |
| 30 | system.activationScripts.redis = '' | 30 | systemd.services.redis.serviceConfig.RuntimeDirectory = |
| 31 | mkdir -p $(dirname ${myconfig.env.databases.redis.socket}) | 31 | assert myconfig.env.databases.redis.socket == "/run/redis/redis.sock"; |
| 32 | chown redis $(dirname ${myconfig.env.databases.redis.socket}) | 32 | "redis"; |
| 33 | ''; | ||
| 34 | |||
| 35 | }; | 33 | }; |
| 36 | } | 34 | } |
| 37 | 35 | ||
diff --git a/nixops/modules/mpd.nix b/nixops/modules/mpd.nix index bc8b8df..9903bdf 100644 --- a/nixops/modules/mpd.nix +++ b/nixops/modules/mpd.nix | |||
| @@ -19,9 +19,7 @@ | |||
| 19 | ]; | 19 | ]; |
| 20 | networking.firewall.allowedTCPPorts = [ 6600 ]; | 20 | networking.firewall.allowedTCPPorts = [ 6600 ]; |
| 21 | users.users.mpd.extraGroups = [ "wwwrun" "keys" ]; | 21 | users.users.mpd.extraGroups = [ "wwwrun" "keys" ]; |
| 22 | system.activationScripts.mpd = '' | 22 | systemd.services.mpd.serviceConfig.RuntimeDirectory = "mpd"; |
| 23 | install -d -m 0755 -o mpd -g mpd /run/mpd | ||
| 24 | ''; | ||
| 25 | services.mpd = { | 23 | services.mpd = { |
| 26 | enable = true; | 24 | enable = true; |
| 27 | network.listenAddress = "any"; | 25 | network.listenAddress = "any"; |
diff --git a/nixops/modules/task/default.nix b/nixops/modules/task/default.nix index 8454c4b..8370608 100644 --- a/nixops/modules/task/default.nix +++ b/nixops/modules/task/default.nix | |||
| @@ -245,12 +245,6 @@ in { | |||
| 245 | system.activationScripts.taskwarrior-web = { | 245 | system.activationScripts.taskwarrior-web = { |
| 246 | deps = [ "users" ]; | 246 | deps = [ "users" ]; |
| 247 | text = '' | 247 | text = '' |
| 248 | install -m 0755 -o ${user} -g ${group} -d ${socketsDir} | ||
| 249 | install -m 0750 -o ${user} -g ${group} -d ${varDir} | ||
| 250 | ${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList | ||
| 251 | (k: v: "install -m 0750 -o ${user} -g ${group} -d ${varDir}/${k}") | ||
| 252 | env.taskwarrior-web | ||
| 253 | )} | ||
| 254 | if [ ! -f ${server_vardir}/userkeys/taskwarrior-web.cert.pem ]; then | 248 | if [ ! -f ${server_vardir}/userkeys/taskwarrior-web.cert.pem ]; then |
| 255 | ${taskserver-user-certs}/bin/taskserver-user-certs taskwarrior-web | 249 | ${taskserver-user-certs}/bin/taskserver-user-certs taskwarrior-web |
| 256 | chown taskd:taskd ${server_vardir}/userkeys/taskwarrior-web.cert.pem ${server_vardir}/userkeys/taskwarrior-web.key.pem | 250 | chown taskd:taskd ${server_vardir}/userkeys/taskwarrior-web.cert.pem ${server_vardir}/userkeys/taskwarrior-web.key.pem |
| @@ -315,6 +309,12 @@ in { | |||
| 315 | TimeoutSec = 60; | 309 | TimeoutSec = 60; |
| 316 | Type = "simple"; | 310 | Type = "simple"; |
| 317 | WorkingDirectory = taskwarrior-web; | 311 | WorkingDirectory = taskwarrior-web; |
| 312 | StateDirectoryMode = 0750; | ||
| 313 | StateDirectory = assert lib.strings.hasPrefix "/var/lib/" varDir; | ||
| 314 | (lib.strings.removePrefix "/var/lib/" varDir + "/${name}"); | ||
| 315 | RuntimeDirectoryPreserve = "yes"; | ||
| 316 | RuntimeDirectory = assert lib.strings.hasPrefix "/run/" socketsDir; | ||
| 317 | lib.strings.removePrefix "/run/" socketsDir; | ||
| 318 | }; | 318 | }; |
| 319 | 319 | ||
| 320 | unitConfig.RequiresMountsFor = varDir; | 320 | unitConfig.RequiresMountsFor = varDir; |