joinmarket-ob-watcher: use DynamicUser
DynamicUser simplifies services that don't need a persistent uid/gid, like joinmarket-ob-watcher. For existing installations the data dir migration to dynamic users is automatically handled by systemd.
This commit is contained in:
parent
e9c98f415c
commit
9d0b8c8f6f
@ -46,16 +46,6 @@ in {
|
|||||||
default = "/var/lib/joinmarket-ob-watcher";
|
default = "/var/lib/joinmarket-ob-watcher";
|
||||||
description = "The data directory for JoinMarket orderbook watcher.";
|
description = "The data directory for JoinMarket orderbook watcher.";
|
||||||
};
|
};
|
||||||
user = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
default = "joinmarket-ob-watcher";
|
|
||||||
description = "The user as which to run JoinMarket orderbook watcher.";
|
|
||||||
};
|
|
||||||
group = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
default = cfg.user;
|
|
||||||
description = "The group as which to run JoinMarket orderbook watcher.";
|
|
||||||
};
|
|
||||||
# This option is only used by netns-isolation
|
# This option is only used by netns-isolation
|
||||||
enforceTor = mkOption {
|
enforceTor = mkOption {
|
||||||
readOnly = true;
|
readOnly = true;
|
||||||
@ -73,10 +63,13 @@ in {
|
|||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
requires = [ "tor.service" ];
|
requires = [ "tor.service" ];
|
||||||
after = [ "tor.service" ];
|
after = [ "tor.service" ];
|
||||||
|
# The service writes to HOME/.config/matplotlib
|
||||||
|
environment.HOME = cfg.dataDir;
|
||||||
preStart = ''
|
preStart = ''
|
||||||
ln -snf ${configFile} ${cfg.dataDir}/joinmarket.cfg
|
ln -snf ${configFile} ${cfg.dataDir}/joinmarket.cfg
|
||||||
'';
|
'';
|
||||||
serviceConfig = nbLib.defaultHardening // rec {
|
serviceConfig = nbLib.defaultHardening // rec {
|
||||||
|
DynamicUser = true;
|
||||||
StateDirectory = "joinmarket-ob-watcher";
|
StateDirectory = "joinmarket-ob-watcher";
|
||||||
StateDirectoryMode = "0770";
|
StateDirectoryMode = "0770";
|
||||||
WorkingDirectory = cfg.dataDir; # The service creates dir 'logs' in the working dir
|
WorkingDirectory = cfg.dataDir; # The service creates dir 'logs' in the working dir
|
||||||
@ -84,16 +77,9 @@ in {
|
|||||||
${nbPkgs.joinmarket}/bin/ob-watcher --datadir=${cfg.dataDir} \
|
${nbPkgs.joinmarket}/bin/ob-watcher --datadir=${cfg.dataDir} \
|
||||||
--host=${cfg.address} --port=${toString cfg.port}
|
--host=${cfg.address} --port=${toString cfg.port}
|
||||||
'';
|
'';
|
||||||
User = cfg.user;
|
|
||||||
Restart = "on-failure";
|
Restart = "on-failure";
|
||||||
RestartSec = "10s";
|
RestartSec = "10s";
|
||||||
} // nbLib.allowTor;
|
} // nbLib.allowTor;
|
||||||
};
|
};
|
||||||
|
|
||||||
users.users.${cfg.user} = {
|
|
||||||
group = cfg.group;
|
|
||||||
home = cfg.dataDir; # The service writes to HOME/.config/matplotlib
|
|
||||||
};
|
|
||||||
users.groups.${cfg.group} = {};
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user