nix: use tmpfiles.settings instead of rules
Signed-off-by: Myned <dev@bjork.tech>
This commit is contained in:
parent
8bde5c66e6
commit
16c295d7c1
7 changed files with 73 additions and 17 deletions
|
@ -38,10 +38,13 @@ in {
|
|||
# TODO: Use nobody:nogroup instead when docker allows changing mount ownership
|
||||
# HACK: Copy with global read-only permissions in container directory which is assumed to be locked down
|
||||
# https://github.com/moby/moby/issues/2259
|
||||
systemd.tmpfiles.rules = [
|
||||
"C ${config.custom.containers.directory}/coturn/coturn.conf 0444 - - - ${
|
||||
config.age.secrets."${config.custom.profile}/coturn/coturn.conf".path
|
||||
}"
|
||||
];
|
||||
systemd.tmpfiles.settings."10-coturn" = {
|
||||
"${config.custom.containers.directory}/coturn/coturn.conf" = {
|
||||
C = {
|
||||
mode = "0444";
|
||||
argument = "${config.age.secrets."${config.custom.profile}/coturn/coturn.conf".path}";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -79,7 +79,16 @@ in {
|
|||
podman-tui
|
||||
];
|
||||
|
||||
systemd.tmpfiles.rules = ["d /containers 0700 root root"]; # Custom directory for containers
|
||||
systemd.tmpfiles.settings."10-containers" = {
|
||||
"/containers" = {
|
||||
d = {
|
||||
mode = "0700";
|
||||
user = "root";
|
||||
group = "root";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
users.users.${config.custom.username}.extraGroups = [
|
||||
(
|
||||
if cfg.docker
|
||||
|
|
|
@ -81,6 +81,14 @@ in {
|
|||
};
|
||||
|
||||
#!! Required for correct volume permissions
|
||||
systemd.tmpfiles.rules = ["z ${config.custom.containers.directory}/netbox/media 0770 999 root"]; # unit:root
|
||||
systemd.tmpfiles.settings."10-netbox" = {
|
||||
"${config.custom.containers.directory}/netbox/media" = {
|
||||
z = {
|
||||
mode = "0770";
|
||||
user = "999"; # unit
|
||||
group = "root";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -10,6 +10,14 @@ in {
|
|||
|
||||
config = mkIf cfg.enable {
|
||||
# Set /mnt permissions
|
||||
systemd.tmpfiles.rules = ["z /mnt 0755 root root"];
|
||||
systemd.tmpfiles.settings."10-mnt" = {
|
||||
"/mnt" = {
|
||||
z = {
|
||||
mode = "0755";
|
||||
user = "root";
|
||||
group = "root";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -11,9 +11,20 @@ in {
|
|||
config = mkIf cfg.enable {
|
||||
# https://www.freedesktop.org/software/systemd/man/latest/tmpfiles.d.html
|
||||
# Create NixOS configuration directory and set permissions
|
||||
systemd.tmpfiles.rules = [
|
||||
"d /etc/nixos 0755 myned root"
|
||||
"Z /etc/nixos - myned root" # Recursively set owner
|
||||
];
|
||||
systemd.tmpfiles.settings."10-nixos" = {
|
||||
"/etc/nixos" = {
|
||||
d = {
|
||||
mode = "0755";
|
||||
user = config.custom.username;
|
||||
group = "root";
|
||||
};
|
||||
|
||||
#!! Recursive
|
||||
Z = {
|
||||
user = config.custom.username;
|
||||
group = "root";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -35,10 +35,20 @@ in {
|
|||
};
|
||||
|
||||
# Serve static files
|
||||
systemd.tmpfiles.rules = [
|
||||
"d /srv/static - caddy caddy"
|
||||
"Z /srv/static - caddy caddy"
|
||||
];
|
||||
systemd.tmpfiles.settings."10-caddy" = {
|
||||
"/srv/static" = {
|
||||
d = {
|
||||
user = "caddy";
|
||||
group = "caddy";
|
||||
};
|
||||
|
||||
#!! Recursive
|
||||
Z = {
|
||||
user = "caddy";
|
||||
group = "caddy";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
# https://wiki.nixos.org/wiki/Firewall
|
||||
# https://github.com/coturn/coturn/blob/master/docker/coturn/README.md
|
||||
|
|
|
@ -157,7 +157,14 @@ in {
|
|||
|
||||
systemd = {
|
||||
# Ensure creation of config directory
|
||||
tmpfiles.rules = ["d ${cfg.configDir} - ${cfg.user} ${cfg.group}"];
|
||||
tmpfiles.settings."10-syncthing" = {
|
||||
${cfg.configDir} = {
|
||||
d = {
|
||||
user = cfg.user;
|
||||
group = cfg.group;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
#!! Syncthing needs to start after mounting or there is a risk of file deletion
|
||||
# https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/services/networking/syncthing.nix#L646
|
||||
|
|
Loading…
Reference in a new issue