This is to fix the following error in the test on aarch64-linux:
store# [ 126.911144] thanos[739]: level=error ts=2019-06-16T14:00:26.59870538Z caller=main.go:182 msg="running command failed" err="error executing compaction: first pass of downsampling failed: create dir: mkdir /var/lib/thanos-compact/downsample: no space left on device"
store# [ 126.942655] systemd[1]: thanos-compact.service: Main process exited, code=exited, status=1/FAILURE
Upstream switched to a different type of ipset table, whereas we
create ipset in post-start which overrides upstream, and renders
sshguard ineffective.
Remove ipset creation from post-start, and let it get automatically
by upstream script (sshg-fw-ipset) as part of startup
Introduces a trim timer similar to the fstrim service.
According to zpool(8) for consumer hardware periodic manual TRIM
is preferred over automatic TRIM that ZFS implements.
The period of one week is based on recommendations of fstrim.
The default for logFile is /var/log/couchdb.log, and the tmpfile rules chown
${dirOf cfg.logFile}, which is just /var/log, to couchdb:couchdb.
This was found by Edes' report on IRC, which looked like
Detected unsafe path transition /var/log → /var/log/journal during canonicalization of /var/log/journal
While this bug has been present since the initial couchdb module in
62438c09f7cc811f994510550614c9265b3b1d18 by @garbas, this wasn't a
problem, because the initial module only created and chowned /var/log
if it didn't exist yet, which can't occur because this gets created in
the initial phases of NixOS startup.
However with the recent move from manual preStart chown scripts to
systemd.tmpfiles.rules in 062efe018d571b1daa9c37b8c99eb39ad47d7342 (#59389),
this chown is suddenly running unconditionally at every system
activation, therefore triggering the above error.
Regression I caused with 3944aa051ca503e255a9da5cf03a58faf6dec268, sorry
for this! The Nextcloud installer broke back then because
`trusted_domains` was an empty value by default (a.k.a an empty array)
which seemed to break the config merger of Nextcloud as Nextcloud
doesn't do recursive merging and now no domain was trusted because of
that, hence Nextcloud was unreachable for the `curl` call.
