From fa010778561d450ae90d24ece19ab174ef8a2222 Mon Sep 17 00:00:00 2001 From: Simon Gardling Date: Thu, 12 Feb 2026 13:51:05 -0500 Subject: [PATCH] refactor(tmpfiles): migrate 12 services to deferred serviceFilePerms --- services/bitwarden.nix | 9 ++++----- services/gitea.nix | 8 +++----- services/immich.nix | 7 +++---- services/jellyfin.nix | 9 ++++----- services/matrix.nix | 7 +++---- services/minecraft.nix | 6 ++++-- services/monero.nix | 6 +++--- services/ntfy.nix | 6 +++--- services/postgresql.nix | 7 +++---- services/qbittorrent.nix | 11 +++++------ services/soulseek.nix | 13 ++++++------- services/syncthing.nix | 10 +++++----- 12 files changed, 46 insertions(+), 53 deletions(-) diff --git a/services/bitwarden.nix b/services/bitwarden.nix index 85bba39..a600db9 100644 --- a/services/bitwarden.nix +++ b/services/bitwarden.nix @@ -15,6 +15,10 @@ service_configs.vaultwarden.path config.services.vaultwarden.backupDir ]) + (lib.serviceFilePerms "vaultwarden" [ + "Z ${service_configs.vaultwarden.path} 0700 vaultwarden vaultwarden" + "Z ${config.services.vaultwarden.backupDir} 0700 vaultwarden vaultwarden" + ]) ]; services.vaultwarden = { @@ -39,11 +43,6 @@ } ''; - systemd.tmpfiles.rules = [ - "Z ${service_configs.vaultwarden.path} 0700 vaultwarden vaultwarden" - "Z ${config.services.vaultwarden.backupDir} 0700 vaultwarden vaultwarden" - ]; - # Protect Vaultwarden login from brute force attacks services.fail2ban.jails.vaultwarden = { enabled = true; diff --git a/services/gitea.nix b/services/gitea.nix index 5f938df..77a1a43 100644 --- a/services/gitea.nix +++ b/services/gitea.nix @@ -8,6 +8,9 @@ { imports = [ (lib.serviceMountWithZpool "gitea" service_configs.zpool_ssds [ config.services.gitea.stateDir ]) + (lib.serviceFilePerms "gitea" [ + "Z ${config.services.gitea.stateDir} 0700 ${config.services.gitea.user} ${config.services.gitea.group}" + ]) ]; services.gitea = { @@ -41,11 +44,6 @@ reverse_proxy :${builtins.toString config.services.gitea.settings.server.HTTP_PORT} ''; - systemd.tmpfiles.rules = [ - # 0700 for ssh permission reasons - "Z ${config.services.gitea.stateDir} 0700 ${config.services.gitea.user} ${config.services.gitea.group}" - ]; - services.postgresql = { ensureDatabases = [ config.services.gitea.user ]; ensureUsers = [ diff --git a/services/immich.nix b/services/immich.nix index fddd106..363d09e 100644 --- a/services/immich.nix +++ b/services/immich.nix @@ -13,6 +13,9 @@ (lib.serviceMountWithZpool "immich-machine-learning" service_configs.zpool_ssds [ config.services.immich.mediaLocation ]) + (lib.serviceFilePerms "immich-server" [ + "Z ${config.services.immich.mediaLocation} 0770 ${config.services.immich.user} ${config.services.immich.group}" + ]) ]; services.immich = { @@ -30,10 +33,6 @@ reverse_proxy :${builtins.toString config.services.immich.port} ''; - systemd.tmpfiles.rules = [ - "Z ${config.services.immich.mediaLocation} 0770 ${config.services.immich.user} ${config.services.immich.group}" - ]; - environment.systemPackages = with pkgs; [ immich-go ]; diff --git a/services/jellyfin.nix b/services/jellyfin.nix index 3e6fe6f..6761c1a 100644 --- a/services/jellyfin.nix +++ b/services/jellyfin.nix @@ -11,6 +11,10 @@ config.services.jellyfin.dataDir config.services.jellyfin.cacheDir ]) + (lib.serviceFilePerms "jellyfin" [ + "Z ${config.services.jellyfin.dataDir} 0700 ${config.services.jellyfin.user} ${config.services.jellyfin.group}" + "Z ${config.services.jellyfin.cacheDir} 0700 ${config.services.jellyfin.user} ${config.services.jellyfin.group}" + ]) ]; services.jellyfin = { @@ -33,11 +37,6 @@ } ''; - systemd.tmpfiles.rules = [ - "Z ${config.services.jellyfin.dataDir} 0700 ${config.services.jellyfin.user} ${config.services.jellyfin.group}" - "Z ${config.services.jellyfin.cacheDir} 0700 ${config.services.jellyfin.user} ${config.services.jellyfin.group}" - ]; - users.users.${config.services.jellyfin.user}.extraGroups = [ "video" "render" diff --git a/services/matrix.nix b/services/matrix.nix index fe9b0ea..e1d3b17 100644 --- a/services/matrix.nix +++ b/services/matrix.nix @@ -9,6 +9,9 @@ (lib.serviceMountWithZpool "continuwuity" service_configs.zpool_ssds [ "/var/lib/private/continuwuity" ]) + (lib.serviceFilePerms "continuwuity" [ + "Z /var/lib/private/continuwuity 0770 ${config.services.matrix-continuwuity.user} ${config.services.matrix-continuwuity.group}" + ]) ]; services.matrix-continuwuity = { @@ -58,10 +61,6 @@ services.caddy.virtualHosts."${service_configs.matrix.domain}:${builtins.toString service_configs.ports.matrix_federation}".extraConfig = config.services.caddy.virtualHosts."${service_configs.matrix.domain}".extraConfig; - systemd.tmpfiles.rules = [ - "Z /var/lib/private/continuwuity 0770 ${config.services.matrix-continuwuity.user} ${config.services.matrix-continuwuity.group}" - ]; - # for federation networking.firewall.allowedTCPPorts = [ service_configs.ports.matrix_federation diff --git a/services/minecraft.nix b/services/minecraft.nix index 45de8fa..47028a1 100644 --- a/services/minecraft.nix +++ b/services/minecraft.nix @@ -15,6 +15,10 @@ ] ) inputs.nix-minecraft.nixosModules.minecraft-servers + (lib.serviceFilePerms "minecraft-server-${service_configs.minecraft.server_name}" [ + "Z ${service_configs.minecraft.parent_dir}/${service_configs.minecraft.server_name} 700 ${config.services.minecraft-servers.user} ${config.services.minecraft-servers.group}" + "Z ${service_configs.minecraft.parent_dir}/${service_configs.minecraft.server_name}/squaremap/web 750 ${config.services.minecraft-servers.user} ${config.services.minecraft-servers.group}" + ]) ]; services.minecraft-servers = { @@ -132,10 +136,8 @@ }; systemd.tmpfiles.rules = [ - "Z ${service_configs.minecraft.parent_dir}/${service_configs.minecraft.server_name} 700 ${config.services.minecraft-servers.user} ${config.services.minecraft-servers.group}" # Allow caddy (in minecraft group) to traverse to squaremap/web for map.gardling.com "z ${service_configs.minecraft.parent_dir}/${service_configs.minecraft.server_name} 710 ${config.services.minecraft-servers.user} ${config.services.minecraft-servers.group}" "z ${service_configs.minecraft.parent_dir}/${service_configs.minecraft.server_name}/squaremap 710 ${config.services.minecraft-servers.user} ${config.services.minecraft-servers.group}" - "Z ${service_configs.minecraft.parent_dir}/${service_configs.minecraft.server_name}/squaremap/web 750 ${config.services.minecraft-servers.user} ${config.services.minecraft-servers.group}" ]; } diff --git a/services/monero.nix b/services/monero.nix index 1792ecf..ce4869b 100644 --- a/services/monero.nix +++ b/services/monero.nix @@ -8,6 +8,9 @@ (lib.serviceMountWithZpool "monero" service_configs.zpool_hdds [ service_configs.monero.dataDir ]) + (lib.serviceFilePerms "monero" [ + "Z ${service_configs.monero.dataDir} 0700 monero monero" + ]) ]; services.monero = { @@ -18,7 +21,4 @@ }; }; - systemd.tmpfiles.rules = [ - "Z ${service_configs.monero.dataDir} 0700 monero monero" - ]; } diff --git a/services/ntfy.nix b/services/ntfy.nix index 84afd94..3b7dd1b 100644 --- a/services/ntfy.nix +++ b/services/ntfy.nix @@ -9,6 +9,9 @@ (lib.serviceMountWithZpool "ntfy-sh" service_configs.zpool_ssds [ "/var/lib/private/ntfy-sh" ]) + (lib.serviceFilePerms "ntfy-sh" [ + "Z /var/lib/private/ntfy-sh 0700 ${config.services.ntfy-sh.user} ${config.services.ntfy-sh.group}" + ]) ]; services.ntfy-sh = { @@ -28,7 +31,4 @@ reverse_proxy :${builtins.toString service_configs.ports.ntfy} ''; - systemd.tmpfiles.rules = [ - "Z /var/lib/private/ntfy-sh 0700 ${config.services.ntfy-sh.user} ${config.services.ntfy-sh.group}" - ]; } diff --git a/services/postgresql.nix b/services/postgresql.nix index c7a5d4b..6d380b8 100644 --- a/services/postgresql.nix +++ b/services/postgresql.nix @@ -10,6 +10,9 @@ (lib.serviceMountWithZpool "postgresql" service_configs.zpool_ssds [ config.services.postgresql.dataDir ]) + (lib.serviceFilePerms "postgresql" [ + "Z ${config.services.postgresql.dataDir} 0700 postgresql postgresql" + ]) ]; services.postgresql = { @@ -18,8 +21,4 @@ dataDir = service_configs.postgres.dataDir; }; - systemd.tmpfiles.rules = [ - # postgresql requires 0700 - "Z ${config.services.postgresql.dataDir} 0700 postgresql postgresql" - ]; } diff --git a/services/qbittorrent.nix b/services/qbittorrent.nix index bcd1ebb..303f877 100644 --- a/services/qbittorrent.nix +++ b/services/qbittorrent.nix @@ -17,6 +17,11 @@ "${config.services.qbittorrent.profileDir}/qBittorrent" ]) (lib.vpnNamespaceOpenPort config.services.qbittorrent.webuiPort "qbittorrent") + (lib.serviceFilePerms "qbittorrent" [ + "Z ${config.services.qbittorrent.serverConfig.Preferences.Downloads.SavePath} 0750 ${config.services.qbittorrent.user} ${service_configs.media_group}" + "Z ${config.services.qbittorrent.serverConfig.Preferences.Downloads.TempPath} 0700 ${config.services.qbittorrent.user} ${config.services.qbittorrent.group}" + "Z ${config.services.qbittorrent.profileDir} 0700 ${config.services.qbittorrent.user} ${config.services.qbittorrent.group}" + ]) ]; services.qbittorrent = { @@ -96,12 +101,6 @@ systemd.services.qbittorrent.serviceConfig.TimeoutStopSec = lib.mkForce 10; - systemd.tmpfiles.rules = [ - "Z ${config.services.qbittorrent.serverConfig.Preferences.Downloads.SavePath} 0750 ${config.services.qbittorrent.user} ${service_configs.media_group}" - "Z ${config.services.qbittorrent.serverConfig.Preferences.Downloads.TempPath} 0700 ${config.services.qbittorrent.user} ${config.services.qbittorrent.group}" - "Z ${config.services.qbittorrent.profileDir} 0700 ${config.services.qbittorrent.user} ${config.services.qbittorrent.group}" - ]; - services.caddy.virtualHosts."torrent.${service_configs.https.domain}".extraConfig = '' import ${config.age.secrets.caddy_auth.path} reverse_proxy ${config.vpnNamespaces.wg.namespaceAddress}:${builtins.toString config.services.qbittorrent.webuiPort} diff --git a/services/soulseek.nix b/services/soulseek.nix index 86a508c..f2aa999 100644 --- a/services/soulseek.nix +++ b/services/soulseek.nix @@ -16,6 +16,12 @@ in service_configs.slskd.downloads service_configs.slskd.incomplete ]) + (lib.serviceFilePerms "slskd" [ + "Z ${service_configs.music_dir} 0750 ${username} music" + "Z ${service_configs.slskd.base} 0750 ${config.services.slskd.user} ${config.services.slskd.group}" + "Z ${service_configs.slskd.downloads} 0750 ${config.services.slskd.user} music" + "Z ${service_configs.slskd.incomplete} 0750 ${config.services.slskd.user} music" + ]) ]; users.groups."music" = { }; @@ -65,13 +71,6 @@ in users.users.${config.services.jellyfin.user}.extraGroups = [ "music" ]; users.users.${username}.extraGroups = [ "music" ]; - systemd.tmpfiles.rules = [ - "Z ${service_configs.music_dir} 0750 ${username} music" - "Z ${service_configs.slskd.base} 0750 ${config.services.slskd.user} ${config.services.slskd.group}" - "Z ${service_configs.slskd.downloads} 0750 ${config.services.slskd.user} music" - "Z ${service_configs.slskd.incomplete} 0750 ${config.services.slskd.user} music" - ]; - # doesn't work with auth???? services.caddy.virtualHosts."soulseek.${service_configs.https.domain}".extraConfig = '' reverse_proxy :${builtins.toString config.services.slskd.settings.web.port} diff --git a/services/syncthing.nix b/services/syncthing.nix index d73713a..33d03ee 100644 --- a/services/syncthing.nix +++ b/services/syncthing.nix @@ -12,6 +12,11 @@ service_configs.syncthing.signalBackupDir service_configs.syncthing.grayjayBackupDir ]) + (lib.serviceFilePerms "syncthing" [ + "Z ${service_configs.syncthing.dataDir} 0750 ${config.services.syncthing.user} ${config.services.syncthing.group}" + "Z ${service_configs.syncthing.signalBackupDir} 0750 ${config.services.syncthing.user} ${config.services.syncthing.group}" + "Z ${service_configs.syncthing.grayjayBackupDir} 0750 ${config.services.syncthing.user} ${config.services.syncthing.group}" + ]) ]; services.syncthing = { @@ -46,9 +51,4 @@ reverse_proxy :${toString service_configs.ports.syncthing_gui} ''; - systemd.tmpfiles.rules = [ - "Z ${service_configs.syncthing.dataDir} 0750 ${config.services.syncthing.user} ${config.services.syncthing.group}" - "Z ${service_configs.syncthing.signalBackupDir} 0750 ${config.services.syncthing.user} ${config.services.syncthing.group}" - "Z ${service_configs.syncthing.grayjayBackupDir} 0750 ${config.services.syncthing.user} ${config.services.syncthing.group}" - ]; }