1
1
Fork 0

nix: use tmpfiles.settings instead of rules

Signed-off-by: Myned <dev@bjork.tech>
This commit is contained in:
Myned 2024-12-06 19:48:23 -06:00
parent 8bde5c66e6
commit 16c295d7c1
Signed by: myned
GPG key ID: C7224454F7881A34
7 changed files with 73 additions and 17 deletions

View file

@ -38,10 +38,13 @@ in {
# TODO: Use nobody:nogroup instead when docker allows changing mount ownership
# HACK: Copy with global read-only permissions in container directory which is assumed to be locked down
# https://github.com/moby/moby/issues/2259
systemd.tmpfiles.rules = [
"C ${config.custom.containers.directory}/coturn/coturn.conf 0444 - - - ${
config.age.secrets."${config.custom.profile}/coturn/coturn.conf".path
}"
];
systemd.tmpfiles.settings."10-coturn" = {
"${config.custom.containers.directory}/coturn/coturn.conf" = {
C = {
mode = "0444";
argument = "${config.age.secrets."${config.custom.profile}/coturn/coturn.conf".path}";
};
};
};
};
}

View file

@ -79,7 +79,16 @@ in {
podman-tui
];
systemd.tmpfiles.rules = ["d /containers 0700 root root"]; # Custom directory for containers
systemd.tmpfiles.settings."10-containers" = {
"/containers" = {
d = {
mode = "0700";
user = "root";
group = "root";
};
};
};
users.users.${config.custom.username}.extraGroups = [
(
if cfg.docker

View file

@ -81,6 +81,14 @@ in {
};
#!! Required for correct volume permissions
systemd.tmpfiles.rules = ["z ${config.custom.containers.directory}/netbox/media 0770 999 root"]; # unit:root
systemd.tmpfiles.settings."10-netbox" = {
"${config.custom.containers.directory}/netbox/media" = {
z = {
mode = "0770";
user = "999"; # unit
group = "root";
};
};
};
};
}

View file

@ -10,6 +10,14 @@ in {
config = mkIf cfg.enable {
# Set /mnt permissions
systemd.tmpfiles.rules = ["z /mnt 0755 root root"];
systemd.tmpfiles.settings."10-mnt" = {
"/mnt" = {
z = {
mode = "0755";
user = "root";
group = "root";
};
};
};
};
}

View file

@ -11,9 +11,20 @@ in {
config = mkIf cfg.enable {
# https://www.freedesktop.org/software/systemd/man/latest/tmpfiles.d.html
# Create NixOS configuration directory and set permissions
systemd.tmpfiles.rules = [
"d /etc/nixos 0755 myned root"
"Z /etc/nixos - myned root" # Recursively set owner
];
systemd.tmpfiles.settings."10-nixos" = {
"/etc/nixos" = {
d = {
mode = "0755";
user = config.custom.username;
group = "root";
};
#!! Recursive
Z = {
user = config.custom.username;
group = "root";
};
};
};
};
}

View file

@ -35,10 +35,20 @@ in {
};
# Serve static files
systemd.tmpfiles.rules = [
"d /srv/static - caddy caddy"
"Z /srv/static - caddy caddy"
];
systemd.tmpfiles.settings."10-caddy" = {
"/srv/static" = {
d = {
user = "caddy";
group = "caddy";
};
#!! Recursive
Z = {
user = "caddy";
group = "caddy";
};
};
};
# https://wiki.nixos.org/wiki/Firewall
# https://github.com/coturn/coturn/blob/master/docker/coturn/README.md

View file

@ -157,7 +157,14 @@ in {
systemd = {
# Ensure creation of config directory
tmpfiles.rules = ["d ${cfg.configDir} - ${cfg.user} ${cfg.group}"];
tmpfiles.settings."10-syncthing" = {
${cfg.configDir} = {
d = {
user = cfg.user;
group = cfg.group;
};
};
};
#!! Syncthing needs to start after mounting or there is a risk of file deletion
# https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/services/networking/syncthing.nix#L646