public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/vault: replace deprecated usage of PermissionsStartOnly

Browse Source 
see https://github.com/NixOS/nixpkgs/issues/53852
This commit is contained in:
Aaron Andersen 2019-02-24 07:53:36 -05:00
parent 053c9a7992
commit a1c48c3f63
1 changed files with 4 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
nixos/modules/services/security/vault.nix
View File

@ -119,6 +119,10 @@ in
}; };
users.groups.vault.gid = config.ids.gids.vault; users.groups.vault.gid = config.ids.gids.vault;
systemd.tmpfiles.rules = optional (cfg.storagePath != null) [
"d '${cfg.storagePath}' 0700 vault vault - -"
];
systemd.services.vault = { systemd.services.vault = {
description = "Vault server daemon"; description = "Vault server daemon";
@ -128,14 +132,9 @@ in
restartIfChanged = false; # do not restart on "nixos-rebuild switch". It would seal the storage and disrupt the clients. restartIfChanged = false; # do not restart on "nixos-rebuild switch". It would seal the storage and disrupt the clients.
preStart = optionalString (cfg.storagePath != null) ''
install -d -m0700 -o vault -g vault "${cfg.storagePath}"
'';
serviceConfig = { serviceConfig = {
User = "vault"; User = "vault";
Group = "vault"; Group = "vault";
PermissionsStartOnly = true;
ExecStart = "${cfg.package}/bin/vault server -config ${configFile}"; ExecStart = "${cfg.package}/bin/vault server -config ${configFile}";
PrivateDevices = true; PrivateDevices = true;
PrivateTmp = true; PrivateTmp = true;