pyrox.dev / nixpkgs
lol
fork atom

nixos/unifi: refactor mountpoints

Use service internal bind mounts instead of global ones.

This also moves the logs to /var/log/unifi on the host
and the run directory to /run/unifi.

Closes #61424

authored by

Pascal Bach and committed by
Kerstin 0f60c45e 79ea7aa9

+64 -54
unified split
+33
nixos/doc/manual/from_md/release-notes/rl-2111.section.xml
··· 1817 </listitem> 1818 </itemizedlist> 1819 </listitem> 1820 </itemizedlist> 1821 </section> 1822 </section>
··· 1817 </listitem> 1818 </itemizedlist> 1819 </listitem> 1820 + <listitem> 1821 + <para> 1822 + The 1823 + <link xlink:href="options.html#opt-services.unifi.enable">services.unifi</link> 1824 + module has been reworked, solving a number of issues. This 1825 + leads to several user facing changes: 1826 + </para> 1827 + <itemizedlist spacing="compact"> 1828 + <listitem> 1829 + <para> 1830 + The <literal>services.unifi.dataDir</literal> option is 1831 + removed and the data is now always located under 1832 + <literal>/var/lib/unifi/data</literal>. This is done to 1833 + make better use of systemd state direcotiry and thus 1834 + making the service restart more reliable. 1835 + </para> 1836 + </listitem> 1837 + <listitem> 1838 + <para> 1839 + The unifi logs can now be found under: 1840 + <literal>/var/log/unifi</literal> instead of 1841 + <literal>/var/lib/unifi/logs</literal>. 1842 + </para> 1843 + </listitem> 1844 + <listitem> 1845 + <para> 1846 + The unifi run directory can now be found under: 1847 + <literal>/run/unifi</literal> instead of 1848 + <literal>/var/lib/unifi/run</literal>. 1849 + </para> 1850 + </listitem> 1851 + </itemizedlist> 1852 + </listitem> 1853 </itemizedlist> 1854 </section> 1855 </section>
+5
nixos/doc/manual/release-notes/rl-2111.section.md
··· 509 - Dokuwiki now supports caddy! However 510 - the nginx option has been removed, in the new configuration, please use the `dokuwiki.webserver = "nginx"` instead. 511 - The "${hostname}" option has been deprecated, please use `dokuwiki.sites = [ "${hostname}" ]` instead
··· 509 - Dokuwiki now supports caddy! However 510 - the nginx option has been removed, in the new configuration, please use the `dokuwiki.webserver = "nginx"` instead. 511 - The "${hostname}" option has been deprecated, please use `dokuwiki.sites = [ "${hostname}" ]` instead 512 + 513 + - The [services.unifi](options.html#opt-services.unifi.enable) module has been reworked, solving a number of issues. This leads to several user facing changes: 514 + - The `services.unifi.dataDir` option is removed and the data is now always located under `/var/lib/unifi/data`. This is done to make better use of systemd state direcotiry and thus making the service restart more reliable. 515 + - The unifi logs can now be found under: `/var/log/unifi` instead of `/var/lib/unifi/logs`. 516 + - The unifi run directory can now be found under: `/run/unifi` instead of `/var/lib/unifi/run`.
+26 -54
nixos/modules/services/networking/unifi.nix
··· 9 ${optionalString (cfg.maximumJavaHeapSize != null) "-Xmx${(toString cfg.maximumJavaHeapSize)}m"} \ 10 -jar ${stateDir}/lib/ace.jar 11 ''; 12 - mountPoints = [ 13 - { 14 - what = "${cfg.unifiPackage}/dl"; 15 - where = "${stateDir}/dl"; 16 - } 17 - { 18 - what = "${cfg.unifiPackage}/lib"; 19 - where = "${stateDir}/lib"; 20 - } 21 - { 22 - what = "${cfg.mongodbPackage}/bin"; 23 - where = "${stateDir}/bin"; 24 - } 25 - { 26 - what = "${cfg.dataDir}"; 27 - where = "${stateDir}/data"; 28 - } 29 - ]; 30 - systemdMountPoints = map (m: "${utils.escapeSystemdPath m.where}.mount") mountPoints; 31 in 32 { 33 ··· 68 ''; 69 }; 70 71 - services.unifi.dataDir = mkOption { 72 - type = types.str; 73 - default = "${stateDir}/data"; 74 - description = '' 75 - Where to store the database and other data. 76 - 77 - This directory will be bind-mounted to ${stateDir}/data as part of the service startup. 78 - ''; 79 - }; 80 - 81 services.unifi.openPorts = mkOption { 82 type = types.bool; 83 default = true; ··· 136 ]; 137 }; 138 139 - # We must create the binary directories as bind mounts instead of symlinks 140 - # This is because the controller resolves all symlinks to absolute paths 141 - # to be used as the working directory. 142 - systemd.mounts = map ({ what, where }: { 143 - bindsTo = [ "unifi.service" ]; 144 - partOf = [ "unifi.service" ]; 145 - unitConfig.RequiresMountsFor = stateDir; 146 - options = "bind"; 147 - what = what; 148 - where = where; 149 - }) mountPoints; 150 - 151 - systemd.tmpfiles.rules = [ 152 - "d '${stateDir}' 0700 unifi - - -" 153 - "d '${stateDir}/data' 0700 unifi - - -" 154 - "d '${stateDir}/webapps' 0700 unifi - - -" 155 - "L+ '${stateDir}/webapps/ROOT' - - - - ${cfg.unifiPackage}/webapps/ROOT" 156 - ]; 157 - 158 systemd.services.unifi = { 159 description = "UniFi controller daemon"; 160 wantedBy = [ "multi-user.target" ]; 161 - after = [ "network.target" ] ++ systemdMountPoints; 162 - partOf = systemdMountPoints; 163 - bindsTo = systemdMountPoints; 164 - unitConfig.RequiresMountsFor = stateDir; 165 # This a HACK to fix missing dependencies of dynamic libs extracted from jars 166 environment.LD_LIBRARY_PATH = with pkgs.stdenv; "${cc.cc.lib}/lib"; 167 # Make sure package upgrades trigger a service restart ··· 209 SystemCallErrorNumber = "EPERM"; 210 SystemCallFilter = [ "@system-service" ]; 211 212 - # Required for ProtectSystem=strict 213 - BindPaths = [ stateDir ]; 214 215 # Needs network access 216 PrivateNetwork = false; ··· 220 }; 221 222 }; 223 224 meta.maintainers = with lib.maintainers; [ erictapen pennae ]; 225 }
··· 9 ${optionalString (cfg.maximumJavaHeapSize != null) "-Xmx${(toString cfg.maximumJavaHeapSize)}m"} \ 10 -jar ${stateDir}/lib/ace.jar 11 ''; 12 in 13 { 14 ··· 49 ''; 50 }; 51 52 services.unifi.openPorts = mkOption { 53 type = types.bool; 54 default = true; ··· 107 ]; 108 }; 109 110 systemd.services.unifi = { 111 description = "UniFi controller daemon"; 112 wantedBy = [ "multi-user.target" ]; 113 + after = [ "network.target" ]; 114 + 115 # This a HACK to fix missing dependencies of dynamic libs extracted from jars 116 environment.LD_LIBRARY_PATH = with pkgs.stdenv; "${cc.cc.lib}/lib"; 117 # Make sure package upgrades trigger a service restart ··· 159 SystemCallErrorNumber = "EPERM"; 160 SystemCallFilter = [ "@system-service" ]; 161 162 + StateDirectory = "unifi"; 163 + RuntimeDirectory = "unifi"; 164 + LogsDirectory = "unifi"; 165 + CacheDirectory= "unifi"; 166 + 167 + TemporaryFileSystem = [ 168 + # required as we want to create bind mounts below 169 + "${stateDir}/webapps:rw" 170 + ]; 171 + 172 + # We must create the binary directories as bind mounts instead of symlinks 173 + # This is because the controller resolves all symlinks to absolute paths 174 + # to be used as the working directory. 175 + BindPaths = [ 176 + "/var/log/unifi:${stateDir}/logs" 177 + "/run/unifi:${stateDir}/run" 178 + "${cfg.unifiPackage}/dl:${stateDir}/dl" 179 + "${cfg.unifiPackage}/lib:${stateDir}/lib" 180 + "${cfg.mongodbPackage}/bin:${stateDir}/bin" 181 + "${cfg.unifiPackage}/webapps/ROOT:${stateDir}/webapps/ROOT" 182 + ]; 183 184 # Needs network access 185 PrivateNetwork = false; ··· 189 }; 190 191 }; 192 + imports = [ 193 + (mkRemovedOptionModule [ "services" "unifi" "dataDir" ] "You should move contents of dataDir to /var/lib/unifi/data" ) 194 + ]; 195 196 meta.maintainers = with lib.maintainers; [ erictapen pennae ]; 197 }