1
1
Fork 0

nix: use tmpfiles.settings instead of rules

Signed-off-by: Myned <dev@bjork.tech>
This commit is contained in:
Myned 2024-12-06 19:48:23 -06:00
parent 8bde5c66e6
commit 16c295d7c1
Signed by: myned
GPG key ID: C7224454F7881A34
7 changed files with 73 additions and 17 deletions

View file

@ -38,10 +38,13 @@ in {
# TODO: Use nobody:nogroup instead when docker allows changing mount ownership # TODO: Use nobody:nogroup instead when docker allows changing mount ownership
# HACK: Copy with global read-only permissions in container directory which is assumed to be locked down # HACK: Copy with global read-only permissions in container directory which is assumed to be locked down
# https://github.com/moby/moby/issues/2259 # https://github.com/moby/moby/issues/2259
systemd.tmpfiles.rules = [ systemd.tmpfiles.settings."10-coturn" = {
"C ${config.custom.containers.directory}/coturn/coturn.conf 0444 - - - ${ "${config.custom.containers.directory}/coturn/coturn.conf" = {
config.age.secrets."${config.custom.profile}/coturn/coturn.conf".path C = {
}" mode = "0444";
]; argument = "${config.age.secrets."${config.custom.profile}/coturn/coturn.conf".path}";
};
};
};
}; };
} }

View file

@ -79,7 +79,16 @@ in {
podman-tui podman-tui
]; ];
systemd.tmpfiles.rules = ["d /containers 0700 root root"]; # Custom directory for containers systemd.tmpfiles.settings."10-containers" = {
"/containers" = {
d = {
mode = "0700";
user = "root";
group = "root";
};
};
};
users.users.${config.custom.username}.extraGroups = [ users.users.${config.custom.username}.extraGroups = [
( (
if cfg.docker if cfg.docker

View file

@ -81,6 +81,14 @@ in {
}; };
#!! Required for correct volume permissions #!! Required for correct volume permissions
systemd.tmpfiles.rules = ["z ${config.custom.containers.directory}/netbox/media 0770 999 root"]; # unit:root systemd.tmpfiles.settings."10-netbox" = {
"${config.custom.containers.directory}/netbox/media" = {
z = {
mode = "0770";
user = "999"; # unit
group = "root";
};
};
};
}; };
} }

View file

@ -10,6 +10,14 @@ in {
config = mkIf cfg.enable { config = mkIf cfg.enable {
# Set /mnt permissions # Set /mnt permissions
systemd.tmpfiles.rules = ["z /mnt 0755 root root"]; systemd.tmpfiles.settings."10-mnt" = {
"/mnt" = {
z = {
mode = "0755";
user = "root";
group = "root";
};
};
};
}; };
} }

View file

@ -11,9 +11,20 @@ in {
config = mkIf cfg.enable { config = mkIf cfg.enable {
# https://www.freedesktop.org/software/systemd/man/latest/tmpfiles.d.html # https://www.freedesktop.org/software/systemd/man/latest/tmpfiles.d.html
# Create NixOS configuration directory and set permissions # Create NixOS configuration directory and set permissions
systemd.tmpfiles.rules = [ systemd.tmpfiles.settings."10-nixos" = {
"d /etc/nixos 0755 myned root" "/etc/nixos" = {
"Z /etc/nixos - myned root" # Recursively set owner d = {
]; mode = "0755";
user = config.custom.username;
group = "root";
};
#!! Recursive
Z = {
user = config.custom.username;
group = "root";
};
};
};
}; };
} }

View file

@ -35,10 +35,20 @@ in {
}; };
# Serve static files # Serve static files
systemd.tmpfiles.rules = [ systemd.tmpfiles.settings."10-caddy" = {
"d /srv/static - caddy caddy" "/srv/static" = {
"Z /srv/static - caddy caddy" d = {
]; user = "caddy";
group = "caddy";
};
#!! Recursive
Z = {
user = "caddy";
group = "caddy";
};
};
};
# https://wiki.nixos.org/wiki/Firewall # https://wiki.nixos.org/wiki/Firewall
# https://github.com/coturn/coturn/blob/master/docker/coturn/README.md # https://github.com/coturn/coturn/blob/master/docker/coturn/README.md

View file

@ -157,7 +157,14 @@ in {
systemd = { systemd = {
# Ensure creation of config directory # Ensure creation of config directory
tmpfiles.rules = ["d ${cfg.configDir} - ${cfg.user} ${cfg.group}"]; tmpfiles.settings."10-syncthing" = {
${cfg.configDir} = {
d = {
user = cfg.user;
group = cfg.group;
};
};
};
#!! Syncthing needs to start after mounting or there is a risk of file deletion #!! Syncthing needs to start after mounting or there is a risk of file deletion
# https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/services/networking/syncthing.nix#L646 # https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/services/networking/syncthing.nix#L646