From 16c295d7c1f5146492f67ff3e88d47aaac113f10 Mon Sep 17 00:00:00 2001 From: Myned Date: Fri, 6 Dec 2024 19:48:23 -0600 Subject: [PATCH] nix: use tmpfiles.settings instead of rules Signed-off-by: Myned --- options/custom/containers/coturn.nix | 13 ++++++++----- options/custom/containers/default.nix | 11 ++++++++++- options/custom/containers/netbox/default.nix | 10 +++++++++- options/custom/files/mnt.nix | 10 +++++++++- options/custom/files/nixos.nix | 19 +++++++++++++++---- options/custom/services/caddy.nix | 18 ++++++++++++++---- options/custom/services/syncthing.nix | 9 ++++++++- 7 files changed, 73 insertions(+), 17 deletions(-) diff --git a/options/custom/containers/coturn.nix b/options/custom/containers/coturn.nix index a99e989..128287c 100644 --- a/options/custom/containers/coturn.nix +++ b/options/custom/containers/coturn.nix @@ -38,10 +38,13 @@ in { # TODO: Use nobody:nogroup instead when docker allows changing mount ownership # HACK: Copy with global read-only permissions in container directory which is assumed to be locked down # https://github.com/moby/moby/issues/2259 - systemd.tmpfiles.rules = [ - "C ${config.custom.containers.directory}/coturn/coturn.conf 0444 - - - ${ - config.age.secrets."${config.custom.profile}/coturn/coturn.conf".path - }" - ]; + systemd.tmpfiles.settings."10-coturn" = { + "${config.custom.containers.directory}/coturn/coturn.conf" = { + C = { + mode = "0444"; + argument = "${config.age.secrets."${config.custom.profile}/coturn/coturn.conf".path}"; + }; + }; + }; }; } diff --git a/options/custom/containers/default.nix b/options/custom/containers/default.nix index 3ee5a13..436a1ca 100644 --- a/options/custom/containers/default.nix +++ b/options/custom/containers/default.nix @@ -79,7 +79,16 @@ in { podman-tui ]; - systemd.tmpfiles.rules = ["d /containers 0700 root root"]; # Custom directory for containers + systemd.tmpfiles.settings."10-containers" = { + "/containers" = { + d = { + mode = "0700"; + user = "root"; + group = "root"; + }; + }; + }; + users.users.${config.custom.username}.extraGroups = [ ( if cfg.docker diff --git a/options/custom/containers/netbox/default.nix b/options/custom/containers/netbox/default.nix index f3c84da..386ceff 100644 --- a/options/custom/containers/netbox/default.nix +++ b/options/custom/containers/netbox/default.nix @@ -81,6 +81,14 @@ in { }; #!! Required for correct volume permissions - systemd.tmpfiles.rules = ["z ${config.custom.containers.directory}/netbox/media 0770 999 root"]; # unit:root + systemd.tmpfiles.settings."10-netbox" = { + "${config.custom.containers.directory}/netbox/media" = { + z = { + mode = "0770"; + user = "999"; # unit + group = "root"; + }; + }; + }; }; } diff --git a/options/custom/files/mnt.nix b/options/custom/files/mnt.nix index 5c4b856..2c61748 100644 --- a/options/custom/files/mnt.nix +++ b/options/custom/files/mnt.nix @@ -10,6 +10,14 @@ in { config = mkIf cfg.enable { # Set /mnt permissions - systemd.tmpfiles.rules = ["z /mnt 0755 root root"]; + systemd.tmpfiles.settings."10-mnt" = { + "/mnt" = { + z = { + mode = "0755"; + user = "root"; + group = "root"; + }; + }; + }; }; } diff --git a/options/custom/files/nixos.nix b/options/custom/files/nixos.nix index 028dc97..0548289 100644 --- a/options/custom/files/nixos.nix +++ b/options/custom/files/nixos.nix @@ -11,9 +11,20 @@ in { config = mkIf cfg.enable { # https://www.freedesktop.org/software/systemd/man/latest/tmpfiles.d.html # Create NixOS configuration directory and set permissions - systemd.tmpfiles.rules = [ - "d /etc/nixos 0755 myned root" - "Z /etc/nixos - myned root" # Recursively set owner - ]; + systemd.tmpfiles.settings."10-nixos" = { + "/etc/nixos" = { + d = { + mode = "0755"; + user = config.custom.username; + group = "root"; + }; + + #!! Recursive + Z = { + user = config.custom.username; + group = "root"; + }; + }; + }; }; } diff --git a/options/custom/services/caddy.nix b/options/custom/services/caddy.nix index 75815d1..cadfaaf 100644 --- a/options/custom/services/caddy.nix +++ b/options/custom/services/caddy.nix @@ -35,10 +35,20 @@ in { }; # Serve static files - systemd.tmpfiles.rules = [ - "d /srv/static - caddy caddy" - "Z /srv/static - caddy caddy" - ]; + systemd.tmpfiles.settings."10-caddy" = { + "/srv/static" = { + d = { + user = "caddy"; + group = "caddy"; + }; + + #!! Recursive + Z = { + user = "caddy"; + group = "caddy"; + }; + }; + }; # https://wiki.nixos.org/wiki/Firewall # https://github.com/coturn/coturn/blob/master/docker/coturn/README.md diff --git a/options/custom/services/syncthing.nix b/options/custom/services/syncthing.nix index 105407a..cb9dc9e 100644 --- a/options/custom/services/syncthing.nix +++ b/options/custom/services/syncthing.nix @@ -157,7 +157,14 @@ in { systemd = { # Ensure creation of config directory - tmpfiles.rules = ["d ${cfg.configDir} - ${cfg.user} ${cfg.group}"]; + tmpfiles.settings."10-syncthing" = { + ${cfg.configDir} = { + d = { + user = cfg.user; + group = cfg.group; + }; + }; + }; #!! Syncthing needs to start after mounting or there is a risk of file deletion # https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/services/networking/syncthing.nix#L646