nix: use tmpfiles.settings instead of rules
Signed-off-by: Myned <dev@bjork.tech>
This commit is contained in:
parent
8bde5c66e6
commit
16c295d7c1
7 changed files with 73 additions and 17 deletions
|
@ -38,10 +38,13 @@ in {
|
||||||
# TODO: Use nobody:nogroup instead when docker allows changing mount ownership
|
# TODO: Use nobody:nogroup instead when docker allows changing mount ownership
|
||||||
# HACK: Copy with global read-only permissions in container directory which is assumed to be locked down
|
# HACK: Copy with global read-only permissions in container directory which is assumed to be locked down
|
||||||
# https://github.com/moby/moby/issues/2259
|
# https://github.com/moby/moby/issues/2259
|
||||||
systemd.tmpfiles.rules = [
|
systemd.tmpfiles.settings."10-coturn" = {
|
||||||
"C ${config.custom.containers.directory}/coturn/coturn.conf 0444 - - - ${
|
"${config.custom.containers.directory}/coturn/coturn.conf" = {
|
||||||
config.age.secrets."${config.custom.profile}/coturn/coturn.conf".path
|
C = {
|
||||||
}"
|
mode = "0444";
|
||||||
];
|
argument = "${config.age.secrets."${config.custom.profile}/coturn/coturn.conf".path}";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -79,7 +79,16 @@ in {
|
||||||
podman-tui
|
podman-tui
|
||||||
];
|
];
|
||||||
|
|
||||||
systemd.tmpfiles.rules = ["d /containers 0700 root root"]; # Custom directory for containers
|
systemd.tmpfiles.settings."10-containers" = {
|
||||||
|
"/containers" = {
|
||||||
|
d = {
|
||||||
|
mode = "0700";
|
||||||
|
user = "root";
|
||||||
|
group = "root";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
users.users.${config.custom.username}.extraGroups = [
|
users.users.${config.custom.username}.extraGroups = [
|
||||||
(
|
(
|
||||||
if cfg.docker
|
if cfg.docker
|
||||||
|
|
|
@ -81,6 +81,14 @@ in {
|
||||||
};
|
};
|
||||||
|
|
||||||
#!! Required for correct volume permissions
|
#!! Required for correct volume permissions
|
||||||
systemd.tmpfiles.rules = ["z ${config.custom.containers.directory}/netbox/media 0770 999 root"]; # unit:root
|
systemd.tmpfiles.settings."10-netbox" = {
|
||||||
|
"${config.custom.containers.directory}/netbox/media" = {
|
||||||
|
z = {
|
||||||
|
mode = "0770";
|
||||||
|
user = "999"; # unit
|
||||||
|
group = "root";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -10,6 +10,14 @@ in {
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
# Set /mnt permissions
|
# Set /mnt permissions
|
||||||
systemd.tmpfiles.rules = ["z /mnt 0755 root root"];
|
systemd.tmpfiles.settings."10-mnt" = {
|
||||||
|
"/mnt" = {
|
||||||
|
z = {
|
||||||
|
mode = "0755";
|
||||||
|
user = "root";
|
||||||
|
group = "root";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -11,9 +11,20 @@ in {
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
# https://www.freedesktop.org/software/systemd/man/latest/tmpfiles.d.html
|
# https://www.freedesktop.org/software/systemd/man/latest/tmpfiles.d.html
|
||||||
# Create NixOS configuration directory and set permissions
|
# Create NixOS configuration directory and set permissions
|
||||||
systemd.tmpfiles.rules = [
|
systemd.tmpfiles.settings."10-nixos" = {
|
||||||
"d /etc/nixos 0755 myned root"
|
"/etc/nixos" = {
|
||||||
"Z /etc/nixos - myned root" # Recursively set owner
|
d = {
|
||||||
];
|
mode = "0755";
|
||||||
|
user = config.custom.username;
|
||||||
|
group = "root";
|
||||||
|
};
|
||||||
|
|
||||||
|
#!! Recursive
|
||||||
|
Z = {
|
||||||
|
user = config.custom.username;
|
||||||
|
group = "root";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -35,10 +35,20 @@ in {
|
||||||
};
|
};
|
||||||
|
|
||||||
# Serve static files
|
# Serve static files
|
||||||
systemd.tmpfiles.rules = [
|
systemd.tmpfiles.settings."10-caddy" = {
|
||||||
"d /srv/static - caddy caddy"
|
"/srv/static" = {
|
||||||
"Z /srv/static - caddy caddy"
|
d = {
|
||||||
];
|
user = "caddy";
|
||||||
|
group = "caddy";
|
||||||
|
};
|
||||||
|
|
||||||
|
#!! Recursive
|
||||||
|
Z = {
|
||||||
|
user = "caddy";
|
||||||
|
group = "caddy";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
# https://wiki.nixos.org/wiki/Firewall
|
# https://wiki.nixos.org/wiki/Firewall
|
||||||
# https://github.com/coturn/coturn/blob/master/docker/coturn/README.md
|
# https://github.com/coturn/coturn/blob/master/docker/coturn/README.md
|
||||||
|
|
|
@ -157,7 +157,14 @@ in {
|
||||||
|
|
||||||
systemd = {
|
systemd = {
|
||||||
# Ensure creation of config directory
|
# Ensure creation of config directory
|
||||||
tmpfiles.rules = ["d ${cfg.configDir} - ${cfg.user} ${cfg.group}"];
|
tmpfiles.settings."10-syncthing" = {
|
||||||
|
${cfg.configDir} = {
|
||||||
|
d = {
|
||||||
|
user = cfg.user;
|
||||||
|
group = cfg.group;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
#!! Syncthing needs to start after mounting or there is a risk of file deletion
|
#!! Syncthing needs to start after mounting or there is a risk of file deletion
|
||||||
# https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/services/networking/syncthing.nix#L646
|
# https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/services/networking/syncthing.nix#L646
|
||||||
|
|
Loading…
Reference in a new issue